From 122218ad0cd874336a83337bc81f9afb950eabb4 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 21 Mar 2024 09:16:28 -0400
Subject: [PATCH 001/298] initial commit

---
 .gitignore                                    |  41 +++
 tofu/README.md                                |   9 +
 .../data-store/cache/.terraform.lock.hcl      |  19 ++
 .../data-store/cache/terragrunt.hcl           |  51 ++++
 .../data-store/database/.terraform.lock.hcl   |  38 +++
 .../data-store/database/terragrunt.hcl        |  63 +++++
 tofu/environments/production/environment.hcl  |  10 +
 .../production/environment_vars.yaml          |   4 +
 .../network/vpc/.terraform.lock.hcl           |  20 ++
 .../production/network/vpc/terragrunt.hcl     |  31 +++
 .../services/backend/.terraform.lock.hcl      |  20 ++
 .../services/backend/terragrunt.hcl           |  50 ++++
 .../services/frontend/.terraform.lock.hcl     |  19 ++
 .../services/frontend/terragrunt.hcl          |  46 ++++
 .../terraform/tfbackend/.terraform.lock.hcl   |  19 ++
 .../terraform/tfbackend/terragrunt.hcl        |  28 ++
 tofu/environments/project_vars.yaml           |   4 +
 .../data-store/cache/.terraform.lock.hcl      |  19 ++
 .../stage/data-store/cache/terragrunt.hcl     |  51 ++++
 .../data-store/database/.terraform.lock.hcl   |  38 +++
 .../stage/data-store/database/terragrunt.hcl  |  63 +++++
 tofu/environments/stage/environment.hcl       |  10 +
 tofu/environments/stage/environment_vars.yaml |   4 +
 .../stage/network/vpc/.terraform.lock.hcl     |  20 ++
 .../stage/network/vpc/terragrunt.hcl          |  31 +++
 .../services/backend/.terraform.lock.hcl      |  20 ++
 .../stage/services/backend/terragrunt.hcl     |  50 ++++
 .../services/frontend/.terraform.lock.hcl     |  19 ++
 .../stage/services/frontend/terragrunt.hcl    |  46 ++++
 .../terraform/tfbackend/.terraform.lock.hcl   |  19 ++
 .../stage/terraform/tfbackend/terragrunt.hcl  |  28 ++
 tofu/environments/terragrunt.hcl              |  32 +++
 tofu/modules/data-store/cache/main.tf         |  40 +++
 tofu/modules/data-store/cache/outputs.tf      |   7 +
 tofu/modules/data-store/cache/variables.tf    |  26 ++
 tofu/modules/data-store/database/main.tf      |  80 ++++++
 tofu/modules/data-store/database/outputs.tf   |   9 +
 tofu/modules/data-store/database/variables.tf |  41 +++
 tofu/modules/network/vpc/dependencies.tf      |   1 +
 tofu/modules/network/vpc/main.tf              | 249 ++++++++++++++++++
 tofu/modules/network/vpc/outputs.tf           |  35 +++
 tofu/modules/network/vpc/variables.tf         |  24 ++
 tofu/modules/services/backend/main.tf         | 206 +++++++++++++++
 tofu/modules/services/backend/outputs.tf      |  11 +
 tofu/modules/services/backend/variables.tf    |  49 ++++
 tofu/modules/services/frontend/main.tf        | 166 ++++++++++++
 tofu/modules/services/frontend/output.tf      |   7 +
 tofu/modules/services/frontend/variables.tf   |  39 +++
 tofu/modules/terraform/tfbackend/main.tf      |  47 ++++
 tofu/modules/terraform/tfbackend/variables.tf |  15 ++
 50 files changed, 1974 insertions(+)
 create mode 100644 tofu/README.md
 create mode 100644 tofu/environments/production/data-store/cache/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/data-store/cache/terragrunt.hcl
 create mode 100644 tofu/environments/production/data-store/database/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/data-store/database/terragrunt.hcl
 create mode 100644 tofu/environments/production/environment.hcl
 create mode 100644 tofu/environments/production/environment_vars.yaml
 create mode 100644 tofu/environments/production/network/vpc/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/network/vpc/terragrunt.hcl
 create mode 100644 tofu/environments/production/services/backend/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/services/backend/terragrunt.hcl
 create mode 100644 tofu/environments/production/services/frontend/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/services/frontend/terragrunt.hcl
 create mode 100644 tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/terraform/tfbackend/terragrunt.hcl
 create mode 100644 tofu/environments/project_vars.yaml
 create mode 100644 tofu/environments/stage/data-store/cache/.terraform.lock.hcl
 create mode 100644 tofu/environments/stage/data-store/cache/terragrunt.hcl
 create mode 100644 tofu/environments/stage/data-store/database/.terraform.lock.hcl
 create mode 100644 tofu/environments/stage/data-store/database/terragrunt.hcl
 create mode 100644 tofu/environments/stage/environment.hcl
 create mode 100644 tofu/environments/stage/environment_vars.yaml
 create mode 100644 tofu/environments/stage/network/vpc/.terraform.lock.hcl
 create mode 100644 tofu/environments/stage/network/vpc/terragrunt.hcl
 create mode 100644 tofu/environments/stage/services/backend/.terraform.lock.hcl
 create mode 100644 tofu/environments/stage/services/backend/terragrunt.hcl
 create mode 100644 tofu/environments/stage/services/frontend/.terraform.lock.hcl
 create mode 100644 tofu/environments/stage/services/frontend/terragrunt.hcl
 create mode 100644 tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl
 create mode 100644 tofu/environments/stage/terraform/tfbackend/terragrunt.hcl
 create mode 100644 tofu/environments/terragrunt.hcl
 create mode 100644 tofu/modules/data-store/cache/main.tf
 create mode 100644 tofu/modules/data-store/cache/outputs.tf
 create mode 100644 tofu/modules/data-store/cache/variables.tf
 create mode 100644 tofu/modules/data-store/database/main.tf
 create mode 100644 tofu/modules/data-store/database/outputs.tf
 create mode 100644 tofu/modules/data-store/database/variables.tf
 create mode 100644 tofu/modules/network/vpc/dependencies.tf
 create mode 100644 tofu/modules/network/vpc/main.tf
 create mode 100644 tofu/modules/network/vpc/outputs.tf
 create mode 100644 tofu/modules/network/vpc/variables.tf
 create mode 100644 tofu/modules/services/backend/main.tf
 create mode 100644 tofu/modules/services/backend/outputs.tf
 create mode 100644 tofu/modules/services/backend/variables.tf
 create mode 100644 tofu/modules/services/frontend/main.tf
 create mode 100644 tofu/modules/services/frontend/output.tf
 create mode 100644 tofu/modules/services/frontend/variables.tf
 create mode 100644 tofu/modules/terraform/tfbackend/main.tf
 create mode 100644 tofu/modules/terraform/tfbackend/variables.tf

diff --git a/.gitignore b/.gitignore
index 28b32f1c3..c5fdbdc42 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,44 @@ venv
 .coverage
 htmlcov
 caldav
+
+# Mac noise
+**/.DS_Store
+
+# Terragrunt
+**/.terragrunt-cache
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
\ No newline at end of file
diff --git a/tofu/README.md b/tofu/README.md
new file mode 100644
index 000000000..8fe4b2658
--- /dev/null
+++ b/tofu/README.md
@@ -0,0 +1,9 @@
+## Deployment Order
+
+1. <env>/terraform/tfbackend
+2. <env>/network/vpc
+3. <env>/services/backend
+4. <env>/data-store/cache
+5. <env>/data-store/database
+6. <env>/network/cdn
+7. <end>/services/frontend
diff --git a/tofu/environments/production/data-store/cache/.terraform.lock.hcl b/tofu/environments/production/data-store/cache/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/production/data-store/cache/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
new file mode 100644
index 000000000..38984b063
--- /dev/null
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -0,0 +1,51 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/data-store/cache"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                 = "mock_vpc_id"
+    subnets                = []
+    source_security_groups = []
+  }
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    security_group_id = "mock_sg_id"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  name_prefix            = local.name_prefix
+  vpc                    = dependency.vpc.outputs.vpc_id
+  subnets                = dependency.vpc.outputs.database_subnets
+  source_security_groups = [dependency.backend.outputs.security_group_id]
+  tags                   = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/data-store/database/.terraform.lock.hcl b/tofu/environments/production/data-store/database/.terraform.lock.hcl
new file mode 100644
index 000000000..520f9bfec
--- /dev/null
+++ b/tofu/environments/production/data-store/database/.terraform.lock.hcl
@@ -0,0 +1,38 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 5.36.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version     = "3.6.0"
+  constraints = ">= 3.1.0"
+  hashes = [
+    "h1:6QMZ6JACl+V2t8daN5GTlw22EtG7nhc3BbkbJDw2a5M=",
+    "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75",
+    "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3",
+    "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23",
+    "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2",
+    "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9",
+    "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a",
+    "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4",
+    "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24",
+    "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4",
+    "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685",
+  ]
+}
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
new file mode 100644
index 000000000..17e31130f
--- /dev/null
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -0,0 +1,63 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/data-store/database"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                 = "mock_vpc_id"
+    subnets                = []
+    source_security_groups = []
+  }
+}
+
+dependency "cache" {
+  config_path = "../cache"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    security_group_id = "mock_sg_id"
+  }
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    security_group_id = "sg-mocksecuritygroup"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment                = local.environment
+  name_prefix                = local.name_prefix
+  region                     = local.region
+  vpc                        = dependency.vpc.outputs.vpc_id
+  subnet_group               = dependency.vpc.outputs.database_subnet_group
+  elasticache_security_group = dependency.cache.outputs.security_group_id
+  backend_security_group     = dependency.backend.outputs.security_group_id
+  tags                       = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/environment.hcl b/tofu/environments/production/environment.hcl
new file mode 100644
index 000000000..6aa839efa
--- /dev/null
+++ b/tofu/environments/production/environment.hcl
@@ -0,0 +1,10 @@
+locals {
+  environment_vars = yamldecode(file("environment_vars.yaml"))
+
+  environment = local.environment_vars.environment
+  region      = local.environment_vars.region
+
+  tags = {
+    environment = local.environment
+  }
+}
\ No newline at end of file
diff --git a/tofu/environments/production/environment_vars.yaml b/tofu/environments/production/environment_vars.yaml
new file mode 100644
index 000000000..e415a0ef9
--- /dev/null
+++ b/tofu/environments/production/environment_vars.yaml
@@ -0,0 +1,4 @@
+---
+environment: production
+region: us-east-1
+...
\ No newline at end of file
diff --git a/tofu/environments/production/network/vpc/.terraform.lock.hcl b/tofu/environments/production/network/vpc/.terraform.lock.hcl
new file mode 100644
index 000000000..c8048244a
--- /dev/null
+++ b/tofu/environments/production/network/vpc/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 4.0.0, >= 5.30.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/network/vpc/terragrunt.hcl b/tofu/environments/production/network/vpc/terragrunt.hcl
new file mode 100644
index 000000000..edae031a7
--- /dev/null
+++ b/tofu/environments/production/network/vpc/terragrunt.hcl
@@ -0,0 +1,31 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/network/vpc"
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment = local.environment
+  name_prefix = local.name_prefix
+  region      = local.region
+  vpc_cidr    = "10.0.0.0/16"
+  tags        = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/services/backend/.terraform.lock.hcl b/tofu/environments/production/services/backend/.terraform.lock.hcl
new file mode 100644
index 000000000..16bf2d314
--- /dev/null
+++ b/tofu/environments/production/services/backend/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 4.66.1, >= 5.33.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/services/backend/terragrunt.hcl b/tofu/environments/production/services/backend/terragrunt.hcl
new file mode 100644
index 000000000..15a0c4d04
--- /dev/null
+++ b/tofu/environments/production/services/backend/terragrunt.hcl
@@ -0,0 +1,50 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/backend"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                          = "mock_vpc_id"
+    subnets                         = []
+    ecr_endpoint_security_group     = "mock_sg"
+    secrets_endpoint_security_group = "mock_sg"
+    logs_endpoint_security_group    = "mock_sg"
+    database_subnet_cidrs           = ["10.0.1.0/24", "10.0.2.0/24"]
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment                     = local.environment
+  name_prefix                     = local.name_prefix
+  region                          = local.region
+  vpc                             = dependency.vpc.outputs.vpc_id
+  subnets                         = dependency.vpc.outputs.private_subnets
+  ecr_endpoint_security_group     = dependency.vpc.outputs.ecr_endpoint_security_group
+  secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
+  logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
+  database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
+  tags                            = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/services/frontend/.terraform.lock.hcl b/tofu/environments/production/services/frontend/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/production/services/frontend/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
new file mode 100644
index 000000000..275e71ba4
--- /dev/null
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -0,0 +1,46 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/frontend"
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    id       = "mock_alb_id"
+    dns_name = "mock_dns_name"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+
+
+  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4"
+}
+
+inputs = {
+  environment      = local.environment
+  name_prefix      = local.name_prefix
+  region           = local.region
+  tags             = local.tags
+  ssl_cert         = local.ssl_cert
+  backend_id       = dependency.backend.outputs.id
+  backend_dns_name = dependency.backend.outputs.dns_name
+}
\ No newline at end of file
diff --git a/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl b/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/terraform/tfbackend/terragrunt.hcl b/tofu/environments/production/terraform/tfbackend/terragrunt.hcl
new file mode 100644
index 000000000..74efdd318
--- /dev/null
+++ b/tofu/environments/production/terraform/tfbackend/terragrunt.hcl
@@ -0,0 +1,28 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/terraform/tfbackend"
+}
+
+locals {
+  bucket_name = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-state"
+  table_name  = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-locks"
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  bucket_name = local.bucket_name
+  table_name  = local.table_name
+  tags        = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/project_vars.yaml b/tofu/environments/project_vars.yaml
new file mode 100644
index 000000000..02925aa85
--- /dev/null
+++ b/tofu/environments/project_vars.yaml
@@ -0,0 +1,4 @@
+---
+project: appointment
+short_name: apmt
+...
\ No newline at end of file
diff --git a/tofu/environments/stage/data-store/cache/.terraform.lock.hcl b/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/stage/data-store/cache/terragrunt.hcl b/tofu/environments/stage/data-store/cache/terragrunt.hcl
new file mode 100644
index 000000000..38984b063
--- /dev/null
+++ b/tofu/environments/stage/data-store/cache/terragrunt.hcl
@@ -0,0 +1,51 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/data-store/cache"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                 = "mock_vpc_id"
+    subnets                = []
+    source_security_groups = []
+  }
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    security_group_id = "mock_sg_id"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  name_prefix            = local.name_prefix
+  vpc                    = dependency.vpc.outputs.vpc_id
+  subnets                = dependency.vpc.outputs.database_subnets
+  source_security_groups = [dependency.backend.outputs.security_group_id]
+  tags                   = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/stage/data-store/database/.terraform.lock.hcl b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
new file mode 100644
index 000000000..520f9bfec
--- /dev/null
+++ b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
@@ -0,0 +1,38 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 5.36.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version     = "3.6.0"
+  constraints = ">= 3.1.0"
+  hashes = [
+    "h1:6QMZ6JACl+V2t8daN5GTlw22EtG7nhc3BbkbJDw2a5M=",
+    "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75",
+    "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3",
+    "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23",
+    "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2",
+    "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9",
+    "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a",
+    "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4",
+    "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24",
+    "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4",
+    "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685",
+  ]
+}
diff --git a/tofu/environments/stage/data-store/database/terragrunt.hcl b/tofu/environments/stage/data-store/database/terragrunt.hcl
new file mode 100644
index 000000000..17e31130f
--- /dev/null
+++ b/tofu/environments/stage/data-store/database/terragrunt.hcl
@@ -0,0 +1,63 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/data-store/database"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                 = "mock_vpc_id"
+    subnets                = []
+    source_security_groups = []
+  }
+}
+
+dependency "cache" {
+  config_path = "../cache"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    security_group_id = "mock_sg_id"
+  }
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    security_group_id = "sg-mocksecuritygroup"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment                = local.environment
+  name_prefix                = local.name_prefix
+  region                     = local.region
+  vpc                        = dependency.vpc.outputs.vpc_id
+  subnet_group               = dependency.vpc.outputs.database_subnet_group
+  elasticache_security_group = dependency.cache.outputs.security_group_id
+  backend_security_group     = dependency.backend.outputs.security_group_id
+  tags                       = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
new file mode 100644
index 000000000..6aa839efa
--- /dev/null
+++ b/tofu/environments/stage/environment.hcl
@@ -0,0 +1,10 @@
+locals {
+  environment_vars = yamldecode(file("environment_vars.yaml"))
+
+  environment = local.environment_vars.environment
+  region      = local.environment_vars.region
+
+  tags = {
+    environment = local.environment
+  }
+}
\ No newline at end of file
diff --git a/tofu/environments/stage/environment_vars.yaml b/tofu/environments/stage/environment_vars.yaml
new file mode 100644
index 000000000..979b28002
--- /dev/null
+++ b/tofu/environments/stage/environment_vars.yaml
@@ -0,0 +1,4 @@
+---
+environment: stage
+region: us-east-1
+...
\ No newline at end of file
diff --git a/tofu/environments/stage/network/vpc/.terraform.lock.hcl b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
new file mode 100644
index 000000000..c8048244a
--- /dev/null
+++ b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 4.0.0, >= 5.30.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/stage/network/vpc/terragrunt.hcl b/tofu/environments/stage/network/vpc/terragrunt.hcl
new file mode 100644
index 000000000..edae031a7
--- /dev/null
+++ b/tofu/environments/stage/network/vpc/terragrunt.hcl
@@ -0,0 +1,31 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/network/vpc"
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment = local.environment
+  name_prefix = local.name_prefix
+  region      = local.region
+  vpc_cidr    = "10.0.0.0/16"
+  tags        = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/stage/services/backend/.terraform.lock.hcl b/tofu/environments/stage/services/backend/.terraform.lock.hcl
new file mode 100644
index 000000000..16bf2d314
--- /dev/null
+++ b/tofu/environments/stage/services/backend/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 4.66.1, >= 5.33.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/stage/services/backend/terragrunt.hcl b/tofu/environments/stage/services/backend/terragrunt.hcl
new file mode 100644
index 000000000..15a0c4d04
--- /dev/null
+++ b/tofu/environments/stage/services/backend/terragrunt.hcl
@@ -0,0 +1,50 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/backend"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                          = "mock_vpc_id"
+    subnets                         = []
+    ecr_endpoint_security_group     = "mock_sg"
+    secrets_endpoint_security_group = "mock_sg"
+    logs_endpoint_security_group    = "mock_sg"
+    database_subnet_cidrs           = ["10.0.1.0/24", "10.0.2.0/24"]
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment                     = local.environment
+  name_prefix                     = local.name_prefix
+  region                          = local.region
+  vpc                             = dependency.vpc.outputs.vpc_id
+  subnets                         = dependency.vpc.outputs.private_subnets
+  ecr_endpoint_security_group     = dependency.vpc.outputs.ecr_endpoint_security_group
+  secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
+  logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
+  database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
+  tags                            = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/stage/services/frontend/.terraform.lock.hcl b/tofu/environments/stage/services/frontend/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/stage/services/frontend/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
new file mode 100644
index 000000000..275e71ba4
--- /dev/null
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -0,0 +1,46 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/frontend"
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    id       = "mock_alb_id"
+    dns_name = "mock_dns_name"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+
+
+  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4"
+}
+
+inputs = {
+  environment      = local.environment
+  name_prefix      = local.name_prefix
+  region           = local.region
+  tags             = local.tags
+  ssl_cert         = local.ssl_cert
+  backend_id       = dependency.backend.outputs.id
+  backend_dns_name = dependency.backend.outputs.dns_name
+}
\ No newline at end of file
diff --git a/tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl b/tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/stage/terraform/tfbackend/terragrunt.hcl b/tofu/environments/stage/terraform/tfbackend/terragrunt.hcl
new file mode 100644
index 000000000..74efdd318
--- /dev/null
+++ b/tofu/environments/stage/terraform/tfbackend/terragrunt.hcl
@@ -0,0 +1,28 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/terraform/tfbackend"
+}
+
+locals {
+  bucket_name = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-state"
+  table_name  = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-locks"
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  bucket_name = local.bucket_name
+  table_name  = local.table_name
+  tags        = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/terragrunt.hcl b/tofu/environments/terragrunt.hcl
new file mode 100644
index 000000000..ebf864a0b
--- /dev/null
+++ b/tofu/environments/terragrunt.hcl
@@ -0,0 +1,32 @@
+terraform_binary = "tofu"
+
+locals {
+  project_vars = yamldecode(file("project_vars.yaml"))
+
+  project    = local.project_vars.project
+  short_name = local.project_vars.short_name
+
+  tags = {
+    project = local.project
+    managed = "terragrunt"
+  }
+
+  parsed = regex(".*/environments/(?P<env>.*?)/.*", get_terragrunt_dir())
+  env    = local.parsed.env
+}
+
+generate "backend" {
+  path      = "backend.tf"
+  if_exists = "overwrite_terragrunt"
+  contents = <<EOF
+terraform {
+  backend "s3" {
+    bucket         = "tb-${local.short_name}-${local.env}-state"
+    key            = "${path_relative_to_include()}/terraform.tfstate"
+    region         = "us-east-1"
+    encrypt        = true
+    dynamodb_table = "tb-${local.short_name}-${local.env}-locks"
+  }
+}
+EOF
+}
diff --git a/tofu/modules/data-store/cache/main.tf b/tofu/modules/data-store/cache/main.tf
new file mode 100644
index 000000000..7d980daeb
--- /dev/null
+++ b/tofu/modules/data-store/cache/main.tf
@@ -0,0 +1,40 @@
+resource "aws_elasticache_serverless_cache" "redis" {
+  engine = "redis"
+  name   = "${var.name_prefix}-redis"
+
+  daily_snapshot_time      = "09:00"
+  description              = "Appointment Caches"
+  major_engine_version     = "7"
+  snapshot_retention_limit = 1
+  security_group_ids       = [aws_security_group.redis.id]
+  subnet_ids               = var.subnets
+
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-redis"
+  })
+}
+
+resource "aws_security_group" "redis" {
+  name        = "${var.name_prefix}-redis"
+  description = "Appointment redis SG"
+  vpc_id      = var.vpc
+
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-redis"
+  })
+}
+
+resource "aws_vpc_security_group_ingress_rule" "ingress" {
+  for_each = toset(var.source_security_groups)
+
+  security_group_id            = aws_security_group.redis.id
+  description                  = "redis(6379) ingress"
+  from_port                    = 6379
+  to_port                      = 6379
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = each.key
+
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-redis"
+  })
+}
diff --git a/tofu/modules/data-store/cache/outputs.tf b/tofu/modules/data-store/cache/outputs.tf
new file mode 100644
index 000000000..e0709318a
--- /dev/null
+++ b/tofu/modules/data-store/cache/outputs.tf
@@ -0,0 +1,7 @@
+output "endpoint" {
+  value = aws_elasticache_serverless_cache.redis.endpoint
+}
+
+output "security_group_id" {
+  value = aws_security_group.redis.id
+}
\ No newline at end of file
diff --git a/tofu/modules/data-store/cache/variables.tf b/tofu/modules/data-store/cache/variables.tf
new file mode 100644
index 000000000..1c38bfbc6
--- /dev/null
+++ b/tofu/modules/data-store/cache/variables.tf
@@ -0,0 +1,26 @@
+variable "name_prefix" {
+  description = "Prefix to be used with all resource names"
+  type        = string
+}
+
+variable "tags" {
+  description = "Common tags"
+  type        = map(string)
+}
+
+variable "vpc" {
+  description = "VPC ID"
+  type        = string
+}
+
+variable "subnets" {
+  description = "subnets for elasticache"
+  type        = list(any)
+}
+
+variable "source_security_groups" {
+  description = "Security group IDs that can access the cache"
+  type        = list(any)
+}
+
+
diff --git a/tofu/modules/data-store/database/main.tf b/tofu/modules/data-store/database/main.tf
new file mode 100644
index 000000000..a71d703f0
--- /dev/null
+++ b/tofu/modules/data-store/database/main.tf
@@ -0,0 +1,80 @@
+data "aws_secretsmanager_secret" "db_secrets" {
+  arn = "arn:aws:secretsmanager:${var.region}:768512802988:secret:staging/appointment/db-temp-loy40P"
+}
+data "aws_secretsmanager_secret_version" "current" {
+  secret_id = data.aws_secretsmanager_secret.db_secrets.id
+}
+
+module "db" {
+  source = "github.com/terraform-aws-modules/terraform-aws-rds"
+
+  identifier = var.name_prefix
+
+  engine            = "mysql"
+  engine_version    = "8.0.32"
+  instance_class    = "db.t3.medium"
+  allocated_storage = 20
+
+  db_name                     = "appointment"
+  username                    = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["username"]
+  password                    = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["password"]
+  manage_master_user_password = false
+  port                        = "3306"
+
+  iam_database_authentication_enabled = true
+
+  multi_az               = var.environment == "production" ? true : false
+  db_subnet_group_name   = var.subnet_group
+  vpc_security_group_ids = [aws_security_group.rds.id]
+
+  maintenance_window = "Wed:12:00-Wed:12:30"
+  backup_window      = "03:00-06:00"
+
+  enabled_cloudwatch_logs_exports = ["audit", "error", "general", "slowquery"]
+
+  # DB parameter group
+  family = "mysql8.0"
+
+  # DB option group
+  major_engine_version = "8.0"
+
+  # Database Deletion Protection
+  skip_final_snapshot = true  #var.environment != "sandbox" ? false : true
+  deletion_protection = false #var.environment != "sandbox" ? true : false
+
+  parameters = [
+    {
+      name  = "require_secure_transport"
+      value = 1
+    }
+  ]
+
+  tags = var.tags
+}
+
+resource "aws_security_group" "rds" {
+  name        = "${var.name_prefix}-rds"
+  description = "Allow DB inbound traffic"
+  vpc_id      = var.vpc
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-rds"
+  })
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_mysql_from_elasticache" {
+  security_group_id            = aws_security_group.rds.id
+  description                  = "Allow MySQL from elasticache"
+  from_port                    = 3306
+  to_port                      = 3306
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.elasticache_security_group
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_mysql_from_backend" {
+  security_group_id            = aws_security_group.rds.id
+  description                  = "Allow MySQL from backend"
+  from_port                    = 3306
+  to_port                      = 3306
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.backend_security_group
+}
\ No newline at end of file
diff --git a/tofu/modules/data-store/database/outputs.tf b/tofu/modules/data-store/database/outputs.tf
new file mode 100644
index 000000000..67e733aca
--- /dev/null
+++ b/tofu/modules/data-store/database/outputs.tf
@@ -0,0 +1,9 @@
+output "db_instance_endpoint" {
+  description = "The connection endpoint"
+  value       = module.db.db_instance_endpoint
+}
+
+output "security_group" {
+  description = "Database security group"
+  value       = aws_security_group.rds.id
+}
\ No newline at end of file
diff --git a/tofu/modules/data-store/database/variables.tf b/tofu/modules/data-store/database/variables.tf
new file mode 100644
index 000000000..c2a21778c
--- /dev/null
+++ b/tofu/modules/data-store/database/variables.tf
@@ -0,0 +1,41 @@
+variable "environment" {
+  description = "Application environment ie. staging, production, etc..."
+  type        = string
+}
+
+variable "name_prefix" {
+  description = "Prefix to be used with all resource names"
+  type        = string
+}
+
+variable "region" {
+  description = "AWS deployment region"
+  type        = string
+}
+
+variable "tags" {
+  description = "Common tags"
+  type        = map(string)
+}
+
+variable "vpc" {
+  description = "VPC ID"
+  type        = string
+}
+
+variable "subnet_group" {
+  description = "RDS subnet group"
+  type        = string
+}
+
+variable "elasticache_security_group" {
+  description = "Elasticache security group"
+  type        = string
+  default     = ""
+}
+
+variable "backend_security_group" {
+  description = "Backend security group"
+  type        = string
+  default     = ""
+}
\ No newline at end of file
diff --git a/tofu/modules/network/vpc/dependencies.tf b/tofu/modules/network/vpc/dependencies.tf
new file mode 100644
index 000000000..4ba5508c9
--- /dev/null
+++ b/tofu/modules/network/vpc/dependencies.tf
@@ -0,0 +1 @@
+data "aws_availability_zones" "available" {}
diff --git a/tofu/modules/network/vpc/main.tf b/tofu/modules/network/vpc/main.tf
new file mode 100644
index 000000000..c0918b00b
--- /dev/null
+++ b/tofu/modules/network/vpc/main.tf
@@ -0,0 +1,249 @@
+locals {
+  azs = slice(data.aws_availability_zones.available.names, 0, 2)
+}
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc" {
+  source = "github.com/terraform-aws-modules/terraform-aws-vpc"
+
+  name = var.name_prefix
+  cidr = var.vpc_cidr
+
+  azs              = local.azs #initializes local.azs
+  private_subnets  = [for k, v in local.azs : cidrsubnet("${var.vpc_cidr}", 8, k)]
+  public_subnets   = [for k, v in local.azs : cidrsubnet("${var.vpc_cidr}", 8, k + 254)]
+  database_subnets = [for k, v in local.azs : cidrsubnet("${var.vpc_cidr}", 8, k + 2)]
+
+  create_database_subnet_group  = true
+  manage_default_network_acl    = false
+  manage_default_route_table    = false
+  manage_default_security_group = false
+
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  enable_nat_gateway     = true
+  single_nat_gateway     = false
+  one_nat_gateway_per_az = false
+  enable_vpn_gateway     = false
+
+  enable_dhcp_options = false
+
+  tags = var.tags
+}
+
+module "vpc_endpoints" {
+  source = "github.com/terraform-aws-modules/terraform-aws-vpc/modules/vpc-endpoints"
+
+  vpc_id = module.vpc.vpc_id
+
+  create_security_group = false
+
+  endpoints = {
+    ecr_api = {
+      service             = "ecr.api"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+      policy              = data.aws_iam_policy_document.ecr_endpoint.json
+      security_group_ids  = [aws_security_group.ecr_endpoint.id]
+      tags = merge(var.tags, {
+        Name = "${var.name_prefix}-ecr-api"
+      })
+    },
+    ecr_dkr = {
+      service             = "ecr.dkr"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+      policy              = data.aws_iam_policy_document.ecr_endpoint.json
+      security_group_ids  = [aws_security_group.ecr_endpoint.id]
+      tags = merge(var.tags, {
+        Name = "${var.name_prefix}-ecr-dkr"
+      })
+    },
+    secrets_manager = {
+      service             = "secretsmanager"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+      policy              = data.aws_iam_policy_document.secrets_endpoint.json
+      security_group_ids  = [aws_security_group.secrets_endpoint.id]
+      tags = merge(var.tags, {
+        Name = "${var.name_prefix}-secretsmanager"
+      })
+    },
+    logs = {
+      service             = "logs"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+      policy              = data.aws_iam_policy_document.logs_endpoint.json
+      security_group_ids  = [aws_security_group.logs_endpoint.id]
+      tags = merge(var.tags, {
+        Name = "${var.name_prefix}-logs"
+      })
+    },
+    s3 = {
+      service         = "s3"
+      vpd_id          = module.vpc.vpc_id
+      route_table_ids = module.vpc.private_route_table_ids
+      tags = merge(var.tags, {
+        Name = "${var.name_prefix}-s3"
+      })
+    }
+  }
+  tags = var.tags
+}
+
+# ECS Task Execution Role
+module "ecs_task_execution_role" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+
+  trusted_role_services = [
+    "ecs-tasks.amazonaws.com"
+  ]
+
+  create_role = true
+
+  role_name         = "${var.name_prefix}-ecs"
+  role_description  = "ECS task execution role"
+  role_requires_mfa = false
+
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
+    resource.aws_iam_policy.appointment_secrets_policy.arn,
+    resource.aws_iam_policy.appointment_logs_policy.arn
+  ]
+  number_of_custom_role_policy_arns = 3
+  tags                              = var.tags
+}
+
+resource "aws_iam_policy" "appointment_secrets_policy" {
+  name        = "${var.name_prefix}-secrets"
+  path        = "/"
+  description = "Allow Appointment to access required secrets"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "secretsmanager:GetSecretValue"
+            ],
+            "Resource": [
+              "arn:aws:secretsmanager:${var.region}:768512802988:secret:${var.environment}/appointment/*"
+            ]
+        }
+    ]
+}
+EOF
+  tags   = var.tags
+}
+
+resource "aws_iam_policy" "appointment_logs_policy" {
+  name        = "${var.name_prefix}-logs"
+  path        = "/"
+  description = "Allow Appointment to create it's log group"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogGroup"
+            ],
+            "Resource": [
+              "arn:aws:logs:${var.region}:768512802988:log-group:/ecs/${var.name_prefix}:*"
+            ]
+        }
+    ]
+}
+EOF
+  tags   = var.tags
+}
+
+# ECR endpoint policy
+data "aws_iam_policy_document" "ecr_endpoint" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetAuthorizationToken"
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [module.ecs_task_execution_role.iam_role_arn]
+    }
+  }
+}
+# Secrets endpoint policy
+data "aws_iam_policy_document" "secrets_endpoint" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:ListSecretVersionIds"
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [module.ecs_task_execution_role.iam_role_arn]
+    }
+  }
+}
+# Logs endpoint policy
+data "aws_iam_policy_document" "logs_endpoint" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "logs:CreatelogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ]
+    resources = ["*"]
+
+    principals {
+      type        = "AWS"
+      identifiers = [module.ecs_task_execution_role.iam_role_arn]
+    }
+  }
+}
+
+# ECR Endpoint SG
+resource "aws_security_group" "ecr_endpoint" {
+  name        = "${var.name_prefix}-ecr"
+  description = "Allow ECR inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-ecr-endpoint"
+  })
+}
+
+# Secrets endpoint SG
+resource "aws_security_group" "secrets_endpoint" {
+  name        = "${var.name_prefix}-secrets"
+  description = "Allow Secrets Manager inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-secrets-endpoint"
+  })
+}
+
+# Logs endpoint SG
+resource "aws_security_group" "logs_endpoint" {
+  name        = "${var.name_prefix}-logs"
+  description = "Allow Cloudwatch logs inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-logs-endpoint"
+  })
+}
diff --git a/tofu/modules/network/vpc/outputs.tf b/tofu/modules/network/vpc/outputs.tf
new file mode 100644
index 000000000..65dc4dcbf
--- /dev/null
+++ b/tofu/modules/network/vpc/outputs.tf
@@ -0,0 +1,35 @@
+output "vpc_id" {
+  value = module.vpc.vpc_id
+}
+
+output "private_subnets" {
+  value = module.vpc.private_subnets
+}
+
+output "public_subnets" {
+  value = module.vpc.public_subnets
+}
+
+output "database_subnets" {
+  value = module.vpc.database_subnets
+}
+
+output "database_subnet_cidrs" {
+  value = module.vpc.database_subnets_cidr_blocks
+}
+
+output "database_subnet_group" {
+  value = module.vpc.database_subnet_group
+}
+
+output "ecr_endpoint_security_group" {
+  value = aws_security_group.ecr_endpoint.id
+}
+
+output "secrets_endpoint_security_group" {
+  value = aws_security_group.secrets_endpoint.id
+}
+
+output "logs_endpoint_security_group" {
+  value = aws_security_group.logs_endpoint.id
+}
\ No newline at end of file
diff --git a/tofu/modules/network/vpc/variables.tf b/tofu/modules/network/vpc/variables.tf
new file mode 100644
index 000000000..72c74b847
--- /dev/null
+++ b/tofu/modules/network/vpc/variables.tf
@@ -0,0 +1,24 @@
+variable "environment" {
+  description = "Application environment ie. staging, production, etc..."
+  type        = string
+}
+
+variable "name_prefix" {
+  description = "Prefix to be used with all resource names"
+  type        = string
+}
+
+variable "tags" {
+  description = "Common tags"
+  type        = map(string)
+}
+
+variable "region" {
+  description = "AWS deployment region"
+  type        = string
+}
+
+variable "vpc_cidr" {
+  description = "CIDR block for appointment"
+  type        = string
+}
diff --git a/tofu/modules/services/backend/main.tf b/tofu/modules/services/backend/main.tf
new file mode 100644
index 000000000..0c8de7f96
--- /dev/null
+++ b/tofu/modules/services/backend/main.tf
@@ -0,0 +1,206 @@
+data "aws_ec2_managed_prefix_list" "cloudfront" {
+  name = "com.amazonaws.global.cloudfront.origin-facing"
+}
+
+data "aws_region" "current" {}
+
+data "aws_prefix_list" "s3" {
+  name = "com.amazonaws.${data.aws_region.current.name}.s3"
+}
+
+locals {
+  target_group_key = "${var.name_prefix}-ecs-backend"
+}
+
+module "ecs_cluster" {
+  source = "github.com/terraform-aws-modules/terraform-aws-ecs/modules/cluster"
+
+  cluster_name = var.name_prefix
+
+  # Capacity provider
+  fargate_capacity_providers = {
+    FARGATE = {
+      default_capacity_provider_strategy = {
+        weight = 100
+      }
+    }
+  }
+  tags = var.tags
+}
+
+/*resource "aws_ecs_service" "backend_service" {
+  name    = "${var.name_prefix}-backend"
+  cluster = module.ecs_cluster.id
+
+  launch_type = "FARGATE"
+
+  load_balancer {
+    target_group_arn = module.backend_alb.target_groups["${local.target_group_key}"].arn
+    container_name   = "backend"
+    container_port   = 5000
+  }
+
+  network_configuration {
+    security_groups = [aws_security_group.backend.id]
+    subnets         = var.subnets
+  }
+
+  #task_definition = "arn:aws:ecs:${var.region}:768512802988:task-definition/${var.name_prefix}-backend"
+  desired_count   = 1
+  tags            = var.tags
+}*/
+
+module "backend_alb" {
+  source  = "terraform-aws-modules/alb/aws"
+  version = "~> 9.0"
+
+  name                = "${var.name_prefix}-backend"
+  security_group_name = "${var.name_prefix}-backend-alb"
+
+  load_balancer_type = "application"
+
+  vpc_id  = var.vpc
+  subnets = var.subnets
+
+  enable_deletion_protection = false #var.environment != "sandbox" ? true : false
+
+  security_group_ingress_rules = {
+    inbound = {
+      from_port                    = 5000
+      to_port                      = 5000
+      ip_protocol                  = "tcp"
+      prefix_list_id = data.aws_ec2_managed_prefix_list.cloudfront.id
+    }
+  }
+
+  security_group_egress_rules = {
+    outbound = {
+      from_port                    = 5000
+      to_port                      = 5000
+      ip_protocol                  = "tcp"
+      referenced_security_group_id = aws_security_group.backend.id
+    }
+  }
+
+  listeners = {
+    http = {
+      port     = 5000
+      protocol = "HTTP"
+
+      forward = {
+        target_group_key = local.target_group_key
+      }
+      rules = {
+        custom-header = {
+          actions = [{
+            type             = "forward"
+            target_group_key = local.target_group_key 
+          }]
+          conditions = [{
+            http_header = {
+              http_header_name = "X-Allow"
+              values           = ["test"]
+            }
+          }]
+        }
+      }
+    }
+  }
+
+  target_groups = {
+    "${local.target_group_key}" = {
+      name                              = "${var.name_prefix}-ecs-backend"
+      protocol                          = "HTTP"
+      port                              = 5000
+      target_type                       = "ip"
+      deregistration_delay              = 5
+      load_balancing_cross_zone_enabled = true
+
+      health_check = {
+        enabled             = true
+        healthy_threshold   = 5
+        interval            = 30
+        matcher             = "200"
+        path                = "/api/v1"
+        port                = "traffic-port"
+        protocol            = "HTTP"
+        timeout             = 5
+        unhealthy_threshold = 2
+      }
+
+      # There's nothing to attach here in this definition. Instead,
+      # ECS will attach the IPs of the tasks to this target group
+      create_attachment = false
+    }
+  }
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-backend-alb"
+  })
+  security_group_tags = {
+    Name = "${var.name_prefix}-backend-alb"
+  }
+}
+
+resource "aws_security_group" "backend" {
+  name        = "${var.name_prefix}-backend"
+  description = "Appointment backend traffic"
+  vpc_id      = var.vpc
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-backend"
+  })
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_backend_alb" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "5000 from ALB"
+  from_port                    = 5000
+  to_port                      = 5000
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = module.backend_alb.security_group_id
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_mysql_to_DB_subnets" {
+  for_each = toset(var.database_subnet_cidrs)
+  security_group_id            = aws_security_group.backend.id
+  description                  = "mysql to DB"
+  from_port                    = 3306
+  to_port                      = 3306
+  ip_protocol                  = "tcp"
+  cidr_ipv4 = each.value
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_ecr_endpoints" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "TLS to ECR endpoints"
+  from_port                    = 443
+  to_port                      = 443
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.ecr_endpoint_security_group
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_logs_endpoint" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "TLS to logs endpoint"
+  from_port                    = 443
+  to_port                      = 443
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.logs_endpoint_security_group
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_secrets_endpoint" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "TLS to secrets endpoint"
+  from_port                    = 443
+  to_port                      = 443
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.secrets_endpoint_security_group
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_s3_endpoint" {
+  security_group_id = aws_security_group.backend.id
+  description       = "TLS to S3 endpoint"
+  from_port         = 443
+  to_port           = 443
+  ip_protocol       = "tcp"
+  prefix_list_id    = data.aws_prefix_list.s3.id
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/outputs.tf b/tofu/modules/services/backend/outputs.tf
new file mode 100644
index 000000000..031f8a182
--- /dev/null
+++ b/tofu/modules/services/backend/outputs.tf
@@ -0,0 +1,11 @@
+output "id" {
+  value = module.backend_alb.id
+}
+
+output "dns_name" {
+  value = module.backend_alb.dns_name
+}
+
+output "security_group_id" {
+  value = aws_security_group.backend.id
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/variables.tf b/tofu/modules/services/backend/variables.tf
new file mode 100644
index 000000000..01f678582
--- /dev/null
+++ b/tofu/modules/services/backend/variables.tf
@@ -0,0 +1,49 @@
+variable "environment" {
+  description = "Application environment ie. staging, production, etc..."
+  type        = string
+}
+
+variable "name_prefix" {
+  description = "Prefix to be used with all resource names"
+  type        = string
+}
+
+variable "region" {
+  description = "Deployment region"
+  type        = string
+}
+
+variable "tags" {
+  description = "Common tags"
+  type        = map(string)
+}
+
+variable "vpc" {
+  description = "VPC ID"
+  type        = string
+}
+
+variable "subnets" {
+  description = "Backend subnets"
+  type        = list(any)
+}
+
+variable "ecr_endpoint_security_group" {
+  description = "ECR API & DKS VPC endpoint security group"
+  type        = string
+}
+
+variable "secrets_endpoint_security_group" {
+  description = "Secrets Manager VPC endpoint security group"
+  type        = string
+}
+
+variable "logs_endpoint_security_group" {
+  description = "Cloudwatch logs VPC endpoint security group"
+  type        = string
+}
+
+variable "database_subnet_cidrs" {
+  description = "Database subnet CIDRs"
+  type        = list
+}
\ No newline at end of file
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
new file mode 100644
index 000000000..8ab8a2ec0
--- /dev/null
+++ b/tofu/modules/services/frontend/main.tf
@@ -0,0 +1,166 @@
+# S3 Bucket
+locals {
+  bucket = "${var.name_prefix}-frontend"
+}
+
+resource "aws_s3_bucket" "frontend" {
+  bucket = local.bucket
+
+  force_destroy = true
+
+  tags = merge(var.tags, {
+    Name = local.bucket
+  })
+}
+
+resource "aws_s3_bucket_versioning" "enabled" {
+  bucket = aws_s3_bucket.frontend.bucket
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+  bucket = aws_s3_bucket.frontend.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "public_access" {
+  bucket                  = aws_s3_bucket.frontend.bucket
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+/*resource "aws_s3_bucket_website_configuration" "frontend" {
+  bucket = aws_s3_bucket.frontend.id
+  index_document {
+    suffix = "index.html"
+  }
+  error_document {
+    key = "error.html"
+  }
+}*/
+
+resource "aws_s3_bucket_policy" "allow_access_from_cloudfront" {
+  bucket = aws_s3_bucket.frontend.id
+  policy = data.aws_iam_policy_document.allow_access_from_cloudfront.json
+}
+
+data "aws_iam_policy_document" "allow_access_from_cloudfront" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["cloudfront.amazonaws.com"]
+    }
+
+    actions = [
+      "s3:GetObject"
+    ]
+
+    resources = [
+      "${aws_s3_bucket.frontend.arn}/*"
+    ]
+
+    condition {
+      test     = "StringLike"
+      variable = "AWS:SourceArn"
+      values   = [aws_cloudfront_distribution.appointment.arn]
+    }
+  }
+}
+
+# Cloudfront Distribution
+resource "aws_cloudfront_distribution" "appointment" {
+  comment             = "appointment ${var.environment} frontend"
+  enabled             = true
+  default_root_object = "index.html"
+
+  origin {
+    origin_id                = "${var.name_prefix}-frontend"
+    domain_name              = aws_s3_bucket.frontend.bucket_domain_name
+    origin_access_control_id = aws_cloudfront_origin_access_control.oac.id
+  }
+
+  origin {
+    origin_id   = var.backend_id
+    domain_name = var.backend_dns_name
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "https-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+
+    custom_header {
+      name  = "X-Allow"
+      value = "test"
+    }
+  }
+
+  #aliases = var.urls
+
+  default_cache_behavior {
+    allowed_methods  = ["GET", "HEAD"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "${var.name_prefix}-frontend"
+
+    forwarded_values {
+      query_string = false
+
+      cookies {
+        forward = "none"
+      }
+    }
+
+    viewer_protocol_policy = "allow-all"
+    min_ttl                = 0
+    default_ttl            = 3600
+    max_ttl                = 86400
+  }
+
+  ordered_cache_behavior {
+    path_pattern     = "/api/*"
+    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "POST", "PUT", "PATCH"]
+    cached_methods   = ["GET", "HEAD", "OPTIONS"]
+    target_origin_id = var.backend_id
+
+    forwarded_values {
+      query_string = true
+
+      cookies {
+        forward = "all"
+      }
+    }
+
+    viewer_protocol_policy = "allow-all"
+    min_ttl                = 0
+    default_ttl            = 3600
+    max_ttl                = 86400
+
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn = var.ssl_cert
+    ssl_support_method  = "sni-only"
+  }
+}
+
+resource "aws_cloudfront_origin_access_control" "oac" {
+  name                              = var.environment
+  origin_access_control_origin_type = "s3"
+  signing_behavior                  = "always"
+  signing_protocol                  = "sigv4"
+}
\ No newline at end of file
diff --git a/tofu/modules/services/frontend/output.tf b/tofu/modules/services/frontend/output.tf
new file mode 100644
index 000000000..8c99a85ae
--- /dev/null
+++ b/tofu/modules/services/frontend/output.tf
@@ -0,0 +1,7 @@
+output "bucket" {
+  value = aws_s3_bucket.frontend.bucket_domain_name
+}
+
+output "cloudfront_arn" {
+  value = aws_cloudfront_distribution.appointment.arn
+}
diff --git a/tofu/modules/services/frontend/variables.tf b/tofu/modules/services/frontend/variables.tf
new file mode 100644
index 000000000..46e64a471
--- /dev/null
+++ b/tofu/modules/services/frontend/variables.tf
@@ -0,0 +1,39 @@
+variable "environment" {
+  description = "Application environment ie. staging, production, etc..."
+  type        = string
+}
+
+variable "name_prefix" {
+  description = "Prefix to be used with all resource names"
+  type        = string
+}
+
+variable "tags" {
+  description = "Common tags"
+  type        = map(string)
+}
+
+variable "region" {
+  description = "AWS deployment region"
+  type        = string
+}
+
+variable "ssl_cert" {
+  description = "SSL certificate ARN in AWS Certificate Manager"
+  type        = string
+}
+
+/*variable "urls" {
+  description = "Site URLs"
+  type        = list(any)
+}*/
+
+variable "backend_id" {
+  description = "Backend id"
+  type        = string
+}
+
+variable "backend_dns_name" {
+  description = "Backend DNS name"
+  type        = string
+}
diff --git a/tofu/modules/terraform/tfbackend/main.tf b/tofu/modules/terraform/tfbackend/main.tf
new file mode 100644
index 000000000..c9a2c6096
--- /dev/null
+++ b/tofu/modules/terraform/tfbackend/main.tf
@@ -0,0 +1,47 @@
+resource "aws_s3_bucket" "terraform_state" {
+  bucket = var.bucket_name
+
+  # Prevent accidental deletion of this S3 bucket
+  lifecycle {
+    prevent_destroy = true
+  }
+  tags = var.tags
+}
+
+resource "aws_s3_bucket_versioning" "enabled" {
+  bucket = aws_s3_bucket.terraform_state.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "public_access" {
+  bucket                  = aws_s3_bucket.terraform_state.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_dynamodb_table" "terraform_locks" {
+  name         = var.table_name
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "LockID"
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+
+  tags = var.tags
+}
diff --git a/tofu/modules/terraform/tfbackend/variables.tf b/tofu/modules/terraform/tfbackend/variables.tf
new file mode 100644
index 000000000..477c5530c
--- /dev/null
+++ b/tofu/modules/terraform/tfbackend/variables.tf
@@ -0,0 +1,15 @@
+variable "bucket_name" {
+  description = "TF state S3 bucket name"
+  type        = string
+}
+
+variable "table_name" {
+  description = "TF locks Dynamodb table name"
+  type        = string
+}
+
+variable "tags" {
+  description = "Common tags"
+  type        = map(string)
+}
+

From e27471e093020d78f51c2766cfeb4f3ede06a4ac Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 21 Mar 2024 10:34:24 -0400
Subject: [PATCH 002/298] added version constraints

---
 tofu/README.md                          | 51 +++++++++++++++++++++----
 tofu/environments/stage/environment.hcl | 15 ++++++++
 tofu/environments/terragrunt.hcl        |  3 ++
 3 files changed, 62 insertions(+), 7 deletions(-)

diff --git a/tofu/README.md b/tofu/README.md
index 8fe4b2658..0cd4c7c66 100644
--- a/tofu/README.md
+++ b/tofu/README.md
@@ -1,9 +1,46 @@
+## Tooling
+Code was written and tested with the following (these versions are enforced in code as minimums):
+- OpenTofu v1.6.2
+- Terragrunt 0.55.15
+- hashicorp/aws v5.41.0
+
+**Note:** All code should be run through Terragrunt, which will then execute the required Tofu commands
+ 
 ## Deployment Order
 
-1. <env>/terraform/tfbackend
-2. <env>/network/vpc
-3. <env>/services/backend
-4. <env>/data-store/cache
-5. <env>/data-store/database
-6. <env>/network/cdn
-7. <end>/services/frontend
+1. tofu/environments/\<env>/terraform/tfbackend
+   1. `cd tofu/environments/<env>/terraform/tfbackend`
+   2. `terragrun init`
+   3. `terragrunt validate`
+   4. `terragrunt plan -out tfplan`
+   5. `terragrunt apply tfplan`
+2. tofu/environments/\<env>/network/vpc
+   1. `cd tofu/environments/<env>/network/vpc`
+   2. `terragrun init`
+   3. `terragrunt validate`
+   4. `terragrunt plan -out tfplan`
+   5. `terragrunt apply tfplan`
+3. tofu/environments/\<env>/services/backend
+   1. `cd tofu/environments/<env>/services/backend`
+   2. `terragrun init`
+   3. `terragrunt validate`
+   4. `terragrunt plan -out tfplan`
+   5. `terragrunt apply tfplan`
+4. tofu/environments/\<env>/data-store/cache
+   1. `cd tofu/environments/<env>/datastore/cache`
+   2. `terragrun init`
+   3. `terragrunt validate`
+   4. `terragrunt plan -out tfplan`
+   5. `terragrunt apply tfplan`
+5. tofu/environments/\<env>/data-store/database
+   1. `cd tofu/environments/<env>/data-store/database`
+   2. `terragrun init`
+   3. `terragrunt validate`
+   4. `terragrunt plan -out tfplan`
+   5. `terragrunt apply tfplan`
+6. tofu/environments/\<end>/services/frontend
+   1. `cd tofu/environments/<env>/services/frontend`
+   2. `terragrun init`
+   3. `terragrunt validate`
+   4. `terragrunt plan -out tfplan`
+   5. `terragrunt apply tfplan`
diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index 6aa839efa..df71b9023 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -7,4 +7,19 @@ locals {
   tags = {
     environment = local.environment
   }
+}
+
+generate "versions" {
+  path      = "versions_override.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+    terraform {
+      required_providers {
+        aws = {
+          source = "hashicorp/aws"
+          version = "5.41.0"
+        }
+      }
+    }
+EOF
 }
\ No newline at end of file
diff --git a/tofu/environments/terragrunt.hcl b/tofu/environments/terragrunt.hcl
index ebf864a0b..0ecf6f0dc 100644
--- a/tofu/environments/terragrunt.hcl
+++ b/tofu/environments/terragrunt.hcl
@@ -1,4 +1,7 @@
 terraform_binary = "tofu"
+terraform_version_constraint = ">= 1.6.2"
+terragrunt_version_constraint = ">= 0.55.15"
+
 
 locals {
   project_vars = yamldecode(file("project_vars.yaml"))

From dc9fdf9e6e8f41e413957eb3d5e769ff61716fa4 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:11:01 -0400
Subject: [PATCH 003/298] add backend service

---
 tofu/README.md                                |  74 ++++++++-
 .../data-store/cache/terragrunt.hcl           |   4 +-
 .../data-store/database/terragrunt.hcl        |   2 +-
 .../.terraform.lock.hcl                       |   0
 .../{backend => backend-infra}/terragrunt.hcl |   2 +-
 .../services/frontend/terragrunt.hcl          |   2 +-
 .../stage/data-store/cache/terragrunt.hcl     |   4 +-
 .../stage/data-store/database/terragrunt.hcl  |   4 +-
 .../.terraform.lock.hcl                       |   0
 .../{backend => backend-infra}/terragrunt.hcl |   2 +-
 .../backend-service/.terraform.lock.hcl       |  20 +++
 .../services/backend-service/terragrunt.hcl   |  54 +++++++
 .../stage/services/frontend/terragrunt.hcl    |   4 +-
 .../{backend => backend-infra}/main.tf        |  24 +--
 .../modules/services/backend-infra/outputs.tf |  27 ++++
 .../{backend => backend-infra}/variables.tf   |   6 +
 tofu/modules/services/backend-service/main.tf | 145 ++++++++++++++++++
 .../services/backend-service/variables.tf     |  39 +++++
 tofu/modules/services/backend/outputs.tf      |  11 --
 19 files changed, 371 insertions(+), 53 deletions(-)
 rename tofu/environments/production/services/{backend => backend-infra}/.terraform.lock.hcl (100%)
 rename tofu/environments/production/services/{backend => backend-infra}/terragrunt.hcl (96%)
 rename tofu/environments/stage/services/{backend => backend-infra}/.terraform.lock.hcl (100%)
 rename tofu/environments/stage/services/{backend => backend-infra}/terragrunt.hcl (96%)
 create mode 100644 tofu/environments/stage/services/backend-service/.terraform.lock.hcl
 create mode 100644 tofu/environments/stage/services/backend-service/terragrunt.hcl
 rename tofu/modules/services/{backend => backend-infra}/main.tf (89%)
 create mode 100644 tofu/modules/services/backend-infra/outputs.tf
 rename tofu/modules/services/{backend => backend-infra}/variables.tf (87%)
 create mode 100644 tofu/modules/services/backend-service/main.tf
 create mode 100644 tofu/modules/services/backend-service/variables.tf
 delete mode 100644 tofu/modules/services/backend/outputs.tf

diff --git a/tofu/README.md b/tofu/README.md
index 0cd4c7c66..3a4d7b48a 100644
--- a/tofu/README.md
+++ b/tofu/README.md
@@ -1,46 +1,106 @@
 ## Tooling
+
 Code was written and tested with the following (these versions are enforced in code as minimums):
+
 - OpenTofu v1.6.2
 - Terragrunt 0.55.15
 - hashicorp/aws v5.41.0
 
 **Note:** All code should be run through Terragrunt, which will then execute the required Tofu commands
- 
+
+## Modules
+
+### tfbackend
+
+Contains the remote state resources:
+
+- S3 bucket - state
+- DynamoDB - locks
+
+### vpc
+
+Contains the VPC and all core network resources and supporting security groups etc...including:
+
+- subnets
+- vpc endpoints
+- IGW
+- NAT gateways
+
+### backend-infra
+
+Contains the ECS cluster & Application Load Balancer for the backend & supporting resources
+
+### cache
+
+Contains the Elasticache redis cluster and supporting resources
+
+### database
+
+Contains the RDS database instance and supporting resources
+
+### frontend
+
+Contains the Cloudfront CDN distribution, frontend S3 bucket and supporting resources.  WHile the bucket contents will change with frontend code changes the infrastructure defined here will remain static
+
+### backend-service
+
+Contains the backend ECS service and task definitions.  This will be redeployed whenever the backend code is updated
+
 ## Deployment Order
 
+All infrastructure should be deployed via terragrunt commands from the appropriate 'environments' folder.  Tofu should never be executed directly from the 'modules' folders
+
+### Remote State
+
+This is deployed individually before any other stacks and generally should not change with application or infrastructure deployments
+
 1. tofu/environments/\<env>/terraform/tfbackend
    1. `cd tofu/environments/<env>/terraform/tfbackend`
    2. `terragrun init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
-2. tofu/environments/\<env>/network/vpc
+
+### Infrastructure Stacks
+
+These should be deployed in the following order and generally will only be updated with infrastructure changes while remaining static for code changes
+
+1. tofu/environments/\<env>/network/vpc
    1. `cd tofu/environments/<env>/network/vpc`
    2. `terragrun init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
-3. tofu/environments/\<env>/services/backend
-   1. `cd tofu/environments/<env>/services/backend`
+2. tofu/environments/\<env>/services/backend-infra
+   1. `cd tofu/environments/<env>/services/backend-infra`
    2. `terragrun init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
-4. tofu/environments/\<env>/data-store/cache
+3. tofu/environments/\<env>/data-store/cache
    1. `cd tofu/environments/<env>/datastore/cache`
    2. `terragrun init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
-5. tofu/environments/\<env>/data-store/database
+4. tofu/environments/\<env>/data-store/database
    1. `cd tofu/environments/<env>/data-store/database`
    2. `terragrun init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
-6. tofu/environments/\<end>/services/frontend
+5. tofu/environments/\<end>/services/frontend
    1. `cd tofu/environments/<env>/services/frontend`
    2. `terragrun init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
+
+### Application Stacks
+
+1. tofu/environments/\<env>/services/backend-service
+   1. `cd tofu/environments/<env>/services/backend-service`
+   2. `terragrun init`
+   3. `terragrunt validate`
+   4. `terragrunt plan -out tfplan`
+   5. `terragrunt apply tfplan`
diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index 38984b063..a5221540a 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -24,9 +24,9 @@ dependency "vpc" {
 }
 
 dependency "backend" {
-  config_path = "../../services/backend"
+  config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index 17e31130f..082ef325d 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -35,7 +35,7 @@ dependency "cache" {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }
diff --git a/tofu/environments/production/services/backend/.terraform.lock.hcl b/tofu/environments/production/services/backend-infra/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/production/services/backend/.terraform.lock.hcl
rename to tofu/environments/production/services/backend-infra/.terraform.lock.hcl
diff --git a/tofu/environments/production/services/backend/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
similarity index 96%
rename from tofu/environments/production/services/backend/terragrunt.hcl
rename to tofu/environments/production/services/backend-infra/terragrunt.hcl
index 15a0c4d04..4e84c4c63 100644
--- a/tofu/environments/production/services/backend/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -9,7 +9,7 @@ include "environment" {
 }
 
 terraform {
-  source = "../../../../modules/services/backend"
+  source = "../../../../modules/services/backend-infra"
 }
 
 dependency "vpc" {
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index 275e71ba4..d90141733 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate","destroy"]
   mock_outputs = {
     id       = "mock_alb_id"
     dns_name = "mock_dns_name"
diff --git a/tofu/environments/stage/data-store/cache/terragrunt.hcl b/tofu/environments/stage/data-store/cache/terragrunt.hcl
index 38984b063..a5221540a 100644
--- a/tofu/environments/stage/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/cache/terragrunt.hcl
@@ -24,9 +24,9 @@ dependency "vpc" {
 }
 
 dependency "backend" {
-  config_path = "../../services/backend"
+  config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
diff --git a/tofu/environments/stage/data-store/database/terragrunt.hcl b/tofu/environments/stage/data-store/database/terragrunt.hcl
index 17e31130f..9b01cb4b6 100644
--- a/tofu/environments/stage/data-store/database/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/database/terragrunt.hcl
@@ -33,9 +33,9 @@ dependency "cache" {
 }
 
 dependency "backend" {
-  config_path = "../../services/backend"
+  config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }
diff --git a/tofu/environments/stage/services/backend/.terraform.lock.hcl b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/stage/services/backend/.terraform.lock.hcl
rename to tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
diff --git a/tofu/environments/stage/services/backend/terragrunt.hcl b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
similarity index 96%
rename from tofu/environments/stage/services/backend/terragrunt.hcl
rename to tofu/environments/stage/services/backend-infra/terragrunt.hcl
index 15a0c4d04..4e84c4c63 100644
--- a/tofu/environments/stage/services/backend/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
@@ -9,7 +9,7 @@ include "environment" {
 }
 
 terraform {
-  source = "../../../../modules/services/backend"
+  source = "../../../../modules/services/backend-infra"
 }
 
 dependency "vpc" {
diff --git a/tofu/environments/stage/services/backend-service/.terraform.lock.hcl b/tofu/environments/stage/services/backend-service/.terraform.lock.hcl
new file mode 100644
index 000000000..373d6d9e3
--- /dev/null
+++ b/tofu/environments/stage/services/backend-service/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
new file mode 100644
index 000000000..37f35f30f
--- /dev/null
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -0,0 +1,54 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "env" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/backend-service"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    private_subnets = ["subnet-mocksubnet1234567"]
+  }
+}
+
+dependency "backend-infra" {
+  config_path = "../backend-infra"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    target_group_key = "MOCK_KEY"
+    log_group        = "MOCK_LOGS"
+    ecs_cluster = "MOCK_CLUSTER_ID"
+    security_group = "MOCK_SG"
+  }
+}
+
+locals {
+  environment      = include.env.locals.environment
+  name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
+  region           = include.env.locals.region
+  project_tags     = include.root.locals.tags
+  environment_tags = include.env.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  name_prefix      = local.name_prefix
+  region           = local.region
+  subnets          = dependency.vpc.outputs.private_subnets
+  log_group        = dependency.backend-infra.outputs.log_group
+  target_group_arn = dependency.backend-infra.outputs.target_group_arn
+  security_group = dependency.backend-infra.outputs.security_group_id
+  ecs_cluster      = dependency.backend-infra.outputs.cluster_id
+  tags             = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
index 275e71ba4..9500add40 100644
--- a/tofu/environments/stage/services/frontend/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -13,9 +13,9 @@ terraform {
 }
 
 dependency "backend" {
-  config_path = "../../services/backend"
+  config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
     id       = "mock_alb_id"
     dns_name = "mock_dns_name"
diff --git a/tofu/modules/services/backend/main.tf b/tofu/modules/services/backend-infra/main.tf
similarity index 89%
rename from tofu/modules/services/backend/main.tf
rename to tofu/modules/services/backend-infra/main.tf
index 0c8de7f96..c695fcf70 100644
--- a/tofu/modules/services/backend/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -9,7 +9,7 @@ data "aws_prefix_list" "s3" {
 }
 
 locals {
-  target_group_key = "${var.name_prefix}-ecs-backend"
+  target_group_key = "${var.name_prefix}-backend"
 }
 
 module "ecs_cluster" {
@@ -28,28 +28,6 @@ module "ecs_cluster" {
   tags = var.tags
 }
 
-/*resource "aws_ecs_service" "backend_service" {
-  name    = "${var.name_prefix}-backend"
-  cluster = module.ecs_cluster.id
-
-  launch_type = "FARGATE"
-
-  load_balancer {
-    target_group_arn = module.backend_alb.target_groups["${local.target_group_key}"].arn
-    container_name   = "backend"
-    container_port   = 5000
-  }
-
-  network_configuration {
-    security_groups = [aws_security_group.backend.id]
-    subnets         = var.subnets
-  }
-
-  #task_definition = "arn:aws:ecs:${var.region}:768512802988:task-definition/${var.name_prefix}-backend"
-  desired_count   = 1
-  tags            = var.tags
-}*/
-
 module "backend_alb" {
   source  = "terraform-aws-modules/alb/aws"
   version = "~> 9.0"
diff --git a/tofu/modules/services/backend-infra/outputs.tf b/tofu/modules/services/backend-infra/outputs.tf
new file mode 100644
index 000000000..7e8a9217b
--- /dev/null
+++ b/tofu/modules/services/backend-infra/outputs.tf
@@ -0,0 +1,27 @@
+output "alb_id" {
+  value = module.backend_alb.id
+}
+
+output "dns_name" {
+  value = module.backend_alb.dns_name
+}
+
+output "security_group_id" {
+  value = aws_security_group.backend.id
+}
+
+output "target_group_key" {
+  value = local.target_group_key
+}
+
+output "target_group_arn" {
+  value = module.backend_alb.target_groups["${local.target_group_key}"].arn
+}
+
+output "log_group" {
+  value = module.ecs_cluster.cloudwatch_log_group_name
+}
+
+output "cluster_id" {
+  value = module.ecs_cluster.id
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/variables.tf b/tofu/modules/services/backend-infra/variables.tf
similarity index 87%
rename from tofu/modules/services/backend/variables.tf
rename to tofu/modules/services/backend-infra/variables.tf
index 01f678582..8a75fb8db 100644
--- a/tofu/modules/services/backend/variables.tf
+++ b/tofu/modules/services/backend-infra/variables.tf
@@ -46,4 +46,10 @@ variable "logs_endpoint_security_group" {
 variable "database_subnet_cidrs" {
   description = "Database subnet CIDRs"
   type        = list
+}
+
+variable "backend_image" {
+  description = "Backend image ECR URI"
+  type = string
+  default = "public.ecr.aws/amazonlinux/amazonlinux:minimal"
 }
\ No newline at end of file
diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
new file mode 100644
index 000000000..359106194
--- /dev/null
+++ b/tofu/modules/services/backend-service/main.tf
@@ -0,0 +1,145 @@
+resource "aws_ecs_service" "backend_service" {
+  name    = "${var.name_prefix}-backend"
+  cluster = var.ecs_cluster
+
+  launch_type = "FARGATE"
+
+  load_balancer {
+    target_group_arn = var.target_group_arn
+    container_name   = "backend"
+    container_port   = 5000
+  }
+
+  network_configuration {
+    security_groups = [var.security_group]
+    subnets         = var.subnets
+  }
+
+  task_definition = aws_ecs_task_definition.backend.arn
+  desired_count   = 1
+  tags            = var.tags
+}
+
+resource "aws_ecs_task_definition" "backend" {
+  family                   = "appointment-definition"
+  execution_role_arn       = "arn:aws:iam::768512802988:role/apointments-ci-role"
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = "512"
+  memory                   = "1024"
+  runtime_platform {
+    cpu_architecture        = "X86_64"
+    operating_system_family = "LINUX"
+  }
+  tags = var.tags
+  container_definitions = jsonencode([
+    {
+      name      = "backend"
+      image     = "backend-latest"
+      cpu       = 0
+      essential = true
+      portMappings = [
+        {
+          containerPort = 5000
+          hostPort      = 5000
+        }
+      ]
+      environment = [
+        {
+          "name" : "FRONTEND_URL",
+          "value" : "https://stage.appointment.day"
+        },
+        {
+          "name" : "SHORT_BASE_URL",
+          "value" : "https://stage.apmt.day"
+        },
+        {
+          "name" : "TIER_BASIC_CALENDAR_LIMIT",
+          "value" : "3"
+        },
+        {
+          "name" : "TIER_PLUS_CALENDAR_LIMIT",
+          "value" : "5"
+        },
+        {
+          "name" : "TIER_PRO_CALENDAR_LIMIT",
+          "value" : "10"
+        },
+        {
+          "name" : "LOG_USE_STREAM",
+          "value" : "True"
+        },
+        {
+          "name" : "LOG_LEVEL",
+          "value" : "INFO"
+        },
+        {
+          "name" : "APP_ENV",
+          "value" : "stage"
+        },
+        {
+          "name" : "SENTRY_DSN",
+          "value" : "https://5dddca3ecc964284bb8008bc2beef808@o4505428107853824.ingest.sentry.io/4505428124827648"
+        },
+        {
+          "name" : "ZOOM_API_ENABLED",
+          "value" : "True"
+        },
+        {
+          "name" : "ZOOM_AUTH_CALLBACK",
+          "value" : "https://stage.appointment.day/api/v1/zoom/callback"
+        },
+        {
+          "name" : "SERVICE_EMAIL",
+          "value" : "no-reply@appointment.day"
+        },
+        {
+          "name" : "AUTH_SCHEME",
+          "value" : "fxa"
+        },
+        {
+          "name" : "JWT_ALGO",
+          "value" : "HS256"
+        },
+        {
+          "name" : "JWT_EXPIRE_IN_MINS",
+          "value" : "10000"
+        }
+      ],
+      secrets = [
+        {
+          "name" : "DATABASE_SECRETS",
+          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-mysql-Ixf6qD"
+        },
+        {
+          "name" : "DB_ENC_SECRET",
+          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-secret-CYKglI"
+        },
+        {
+          "name" : "SMTP_SECRETS",
+          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
+        },
+        {
+          "name" : "GOOGLE_OAUTH_SECRETS",
+          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/google-cal-oauth-VevaSo"
+        },
+        {
+          "name" : "ZOOM_SECRETS",
+          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
+        },
+        {
+          "name" : "FXA_SECRETS",
+          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/fxa-7koQF0"
+        }
+      ],
+      logConfiguration = {
+        logDriver = "awslogs"
+        options = {
+          awslogs-group         = var.log_group
+          awslogs-region        = var.region
+          awslogs-stream-prefix = "apmt"
+        }
+      }
+    }
+  ])
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend-service/variables.tf b/tofu/modules/services/backend-service/variables.tf
new file mode 100644
index 000000000..da18e1a6c
--- /dev/null
+++ b/tofu/modules/services/backend-service/variables.tf
@@ -0,0 +1,39 @@
+variable "name_prefix" {
+  description = "Prefix to be used with all resource names"
+  type        = string
+}
+
+variable "subnets" {
+  description = "Backend subnets"
+  type        = list(any)
+}
+
+variable "region" {
+  description = "Deployment region"
+  type        = string
+}
+
+variable "log_group" {
+  description = "ECS CLoudwatch log group"
+  type        = string
+}
+
+variable "tags" {
+  description = "Common tags"
+  type        = map(string)
+}
+
+variable "target_group_arn" {
+  description = "Backend ALB target group arn"
+  type        = string
+}
+
+variable "ecs_cluster" {
+  description = "Backend ECS cluster id"
+  type = string
+}
+
+variable "security_group" {
+  description = "Backend security group"
+  type = string
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/outputs.tf b/tofu/modules/services/backend/outputs.tf
deleted file mode 100644
index 031f8a182..000000000
--- a/tofu/modules/services/backend/outputs.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-output "id" {
-  value = module.backend_alb.id
-}
-
-output "dns_name" {
-  value = module.backend_alb.dns_name
-}
-
-output "security_group_id" {
-  value = aws_security_group.backend.id
-}
\ No newline at end of file

From 65836516cc7535f72d1834583110b97db0d38245 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:11:55 -0400
Subject: [PATCH 004/298] initial iac validation code

---
 .github/workflows/aws.yml           | 31 ++---------------------------
 .github/workflows/deploy.yaml       |  0
 .github/workflows/iac_plan.yaml     |  0
 .github/workflows/iac_validate.yaml | 26 ++++++++++++++++++++++++
 .github/workflows/main.yaml         |  0
 5 files changed, 28 insertions(+), 29 deletions(-)
 create mode 100644 .github/workflows/deploy.yaml
 create mode 100644 .github/workflows/iac_plan.yaml
 create mode 100644 .github/workflows/iac_validate.yaml
 create mode 100644 .github/workflows/main.yaml

diff --git a/.github/workflows/aws.yml b/.github/workflows/aws.yml
index 1ef62f5a3..8fff6b17d 100644
--- a/.github/workflows/aws.yml
+++ b/.github/workflows/aws.yml
@@ -29,9 +29,6 @@ jobs:
   deploy:
     name: Build & Deploy
     runs-on: ubuntu-latest
-    environment:
-      name: staging
-      url: https://stage.appointment.day
 
     steps:
     - name: Checkout
@@ -50,7 +47,7 @@ jobs:
       with:
         mask-password: 'true'
 
-    - name: Build, tag, and push backend to Amazon ECR
+    - name: Build, tag, and push backend image to Amazon ECR
       id: build-backend
       env:
         ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
@@ -62,19 +59,6 @@ jobs:
         docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
         docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
         echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
-        
-    - name: Build, tag, and push frontend to Amazon ECR
-      id: build-frontend
-      env:
-        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        IMAGE_TAG: frontend-${{ github.sha }}
-      run: |
-        # Build a docker container and
-        # push it to ECR so that it can
-        # be deployed to ECS.
-        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./frontend -f ./frontend/deploy.dockerfile
-        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-        echo "image_frontend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
 
     - name: Fill in the new backend image ID in the Amazon ECS task definition
       id: task-def-backend
@@ -85,18 +69,7 @@ jobs:
         image: ${{ steps.build-backend.outputs.image_backend }}
         environment-variables: "RELEASE_VERSION=${{ github.sha }}"
 
-    - name: Fill in the new frontend image ID in the Amazon ECS task definition
-      id: task-def-frontend
-      uses: aws-actions/amazon-ecs-render-task-definition@v1
-      with:
-        task-definition: ${{ steps.task-def-backend.outputs.task-definition }}
-        container-name: ${{ env.CONTAINER_FRONTEND }}
-        image: ${{ steps.build-frontend.outputs.image_frontend }}
-
     - name: Deploy Amazon ECS task definition
       uses: aws-actions/amazon-ecs-deploy-task-definition@v1
       with:
-        task-definition: ${{ steps.task-def-frontend.outputs.task-definition }}
-        service: ${{ env.ECS_SERVICE }}
-        cluster: ${{ env.ECS_CLUSTER }}
-        wait-for-service-stability: true
+        task-definition: ${{ steps.task-def-backend.outputs.task-definition }}
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
new file mode 100644
index 000000000..e69de29bb
diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
new file mode 100644
index 000000000..e69de29bb
diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
new file mode 100644
index 000000000..49acd0991
--- /dev/null
+++ b/.github/workflows/iac_validate.yaml
@@ -0,0 +1,26 @@
+name: validate-iac
+on: 
+  push:
+  workflow_call:
+env:
+  tf_version: '1.6.2'
+  tg_version: '0.55.15'
+  environment: 'stage'
+
+jobs:
+  validate-iac:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{ env.tf_version }}
+      - run: |
+          git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
+          sudo ln -s ~/.tgenv/bin* /usr/local/bin
+          tgenv install ${{ env.tg_version }}
+      - run: |
+          cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
+          terragrun init
+          terragrunt validate
+
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
new file mode 100644
index 000000000..e69de29bb

From 4deed986d16bb1c2058a83d13ffc0b9a0f851663 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:15:35 -0400
Subject: [PATCH 005/298] fixed tgenv path

---
 .github/workflows/iac_validate.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 49acd0991..34208137b 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -17,8 +17,7 @@ jobs:
           tofu_version: ${{ env.tf_version }}
       - run: |
           git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
-          sudo ln -s ~/.tgenv/bin* /usr/local/bin
-          tgenv install ${{ env.tg_version }}
+          ~/.tgenv/bin/tgenv install ${{ env.tg_version }}
       - run: |
           cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
           terragrun init

From 4c1967a0753e7ba4dff8d82c459cecdb91c30a7a Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:25:56 -0400
Subject: [PATCH 006/298] tgenv error

---
 .github/workflows/iac_validate.yaml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 34208137b..94f2aa82a 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -12,13 +12,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: opentofu/setup-opentofu@v1
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
         with: 
           tofu_version: ${{ env.tf_version }}
-      - run: |
-          git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
-          ~/.tgenv/bin/tgenv install ${{ env.tg_version }}
-      - run: |
+      - name: install tgenv
+        run: git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
+      - name: install terragrunt
+        run: ~/.tgenv/bin/tgenv install ${{ env.tg_version }}
+      - name: validate
+        run: |
           cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
           terragrun init
           terragrunt validate

From 0534680d8e7b2a3d8a7cd072cd7862da65ee2a78 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 11:49:59 -0400
Subject: [PATCH 007/298] terragrunt manual install

---
 .github/workflows/iac_validate.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 94f2aa82a..1d06f84df 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -16,10 +16,11 @@ jobs:
         uses: opentofu/setup-opentofu@v1
         with: 
           tofu_version: ${{ env.tf_version }}
-      - name: install tgenv
-        run: git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
       - name: install terragrunt
-        run: ~/.tgenv/bin/tgenv install ${{ env.tg_version }}
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
       - name: validate
         run: |
           cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend

From 351bd3a486ac676d8b088709e29977837b22354d Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 11:51:13 -0400
Subject: [PATCH 008/298] fix typo

---
 .github/workflows/iac_validate.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 1d06f84df..f693834ae 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -24,6 +24,6 @@ jobs:
       - name: validate
         run: |
           cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
-          terragrun init
+          terragrunt init
           terragrunt validate
 

From bdc515dcf27d6d238839d8fdfc57d8faf03b4c0f Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 11:58:40 -0400
Subject: [PATCH 009/298] add all tf

---
 .github/workflows/iac_validate.yaml | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index f693834ae..cb7c79ffa 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -21,9 +21,28 @@ jobs:
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
-      - name: validate
+      - name: validate vpc
         run: |
-          cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
+          cd ./tofu/environments/${{ env.environment }}/network/vpc
+          terragrunt init
+          terragrunt validate
+      - name: validate backend
+        run: |
+          cd ../../services/backend-infra
+          terragrunt init
+          terragrunt validate
+      - name: validate cache
+        run: |
+          cd ../../data-store/cache
+          terragrunt init
+          terragrunt validate
+      - name: validate database
+        run: |
+          cd ../../data-store/database
+          terragrunt init
+          terragrunt validate
+      - name: validate frontend
+        run: |
+          cd ../../services/frontend
           terragrunt init
           terragrunt validate
-

From 731298745574919d1346356a92386dc5e9b9626f Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:21:59 -0400
Subject: [PATCH 010/298] add working directories

---
 .github/workflows/iac_validate.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index cb7c79ffa..2160020e1 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -22,27 +22,27 @@ jobs:
           sudo chmod +x /bin/terragrunt
           terragrunt -v
       - name: validate vpc
+        working-directory: ./tofu/environments/${{ env.environment}}/network/vpc
         run: |
-          cd ./tofu/environments/${{ env.environment }}/network/vpc
           terragrunt init
           terragrunt validate
       - name: validate backend
+        working-directory: ./tofu/environments/${{ env.environment}}/services/backend-infra
         run: |
-          cd ../../services/backend-infra
           terragrunt init
           terragrunt validate
       - name: validate cache
+        working-directory: ./tofu/environments/${{ env.environment}}/data-store/cache
         run: |
-          cd ../../data-store/cache
           terragrunt init
           terragrunt validate
       - name: validate database
+        working-directory: ./tofu/environments/${{ env.environment}}/data-store/database
         run: |
-          cd ../../data-store/database
           terragrunt init
           terragrunt validate
       - name: validate frontend
+        working-directory: ./tofu/environments/${{ env.environment}}/services/frontend
         run: |
-          cd ../../services/frontend
           terragrunt init
           terragrunt validate

From b4f0548788d51281118bd029c86365c61eecca61 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:30:11 -0400
Subject: [PATCH 011/298] disable tofu wrapper

---
 .github/workflows/iac_validate.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 2160020e1..e87d010ad 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -16,6 +16,7 @@ jobs:
         uses: opentofu/setup-opentofu@v1
         with: 
           tofu_version: ${{ env.tf_version }}
+          tofu_wrapper: false
       - name: install terragrunt
         run: |
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"

From fd29eb34c47e1087f2b548478b4c7554dca6461c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:32:36 -0400
Subject: [PATCH 012/298] add aws creds

---
 .github/workflows/iac_validate.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index e87d010ad..3917c488f 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -6,12 +6,20 @@ env:
   tf_version: '1.6.2'
   tg_version: '0.55.15'
   environment: 'stage'
+  AWS_REGION: us-east-1
 
 jobs:
   validate-iac:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.AWS_REGION }}
       - name: install opentofu
         uses: opentofu/setup-opentofu@v1
         with: 

From e76a797335932df17cd0458ed33534ecc0bf220a Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 13:31:53 -0400
Subject: [PATCH 013/298] add aws creds

---
 .github/workflows/iac_validate.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 3917c488f..dcd9bfa97 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -15,10 +15,10 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.IAM_ROLE}}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{ env.AWS_REGION }}
       - name: install opentofu
         uses: opentofu/setup-opentofu@v1

From 1e6f79f21e4fb9c7d4b01c414ff7316c837b576c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 13:33:48 -0400
Subject: [PATCH 014/298] add workflow permissions

---
 .github/workflows/iac_validate.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index dcd9bfa97..6e9a15c06 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -8,6 +8,10 @@ env:
   environment: 'stage'
   AWS_REGION: us-east-1
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   validate-iac:
     runs-on: ubuntu-latest

From 6dca88cc9453b8f4eb954541f4560d948bc82641 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 13:39:34 -0400
Subject: [PATCH 015/298] pass backend alb id to frontend

---
 tofu/environments/stage/services/frontend/terragrunt.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
index 9500add40..f635ff019 100644
--- a/tofu/environments/stage/services/frontend/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -41,6 +41,6 @@ inputs = {
   region           = local.region
   tags             = local.tags
   ssl_cert         = local.ssl_cert
-  backend_id       = dependency.backend.outputs.id
+  backend_id       = dependency.backend.outputs.alb_id
   backend_dns_name = dependency.backend.outputs.dns_name
 }
\ No newline at end of file

From 3561c2cf50494257d279cba40b7daf5c4eba9e8f Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 13:43:44 -0400
Subject: [PATCH 016/298] add iac plan

---
 .github/workflows/iac_plan.yaml | 61 +++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
index e69de29bb..2bfbd503b 100644
--- a/.github/workflows/iac_plan.yaml
+++ b/.github/workflows/iac_plan.yaml
@@ -0,0 +1,61 @@
+name: plan-iac
+on: 
+  push:
+  workflow_call:
+env:
+  tf_version: '1.6.2'
+  tg_version: '0.55.15'
+  environment: 'stage'
+  AWS_REGION: us-east-1
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  plan-iac:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE}}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ env.AWS_REGION }}
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{ env.tf_version }}
+          tofu_wrapper: false
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
+      - name: plan vpc
+        working-directory: ./tofu/environments/${{ env.environment}}/network/vpc
+        run: |
+          terragrunt init
+          terragrunt plan -out tfplan-vpc
+      - name: plan backend
+        working-directory: ./tofu/environments/${{ env.environment}}/services/backend-infra
+        run: |
+          terragrunt init
+          terragrunt plan -out tfplan-vpc
+      - name: plan cache
+        working-directory: ./tofu/environments/${{ env.environment}}/data-store/cache
+        run: |
+          terragrunt init
+          terragrunt plan -out tfplan-vpc
+      - name: plan database
+        working-directory: ./tofu/environments/${{ env.environment}}/data-store/database
+        run: |
+          terragrunt init
+          terragrunt plan -out tfplan-vpc
+      - name: plan frontend
+        working-directory: ./tofu/environments/${{ env.environment}}/services/frontend
+        run: |
+          terragrunt init
+          terragrunt plan -out tfplan-vpc

From 131375e5d5b07eaad354efcf183e9d0fa29f871b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 13:47:43 -0400
Subject: [PATCH 017/298] add iac plan trigger

---
 .github/workflows/iac_plan.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
index 2bfbd503b..3ce907f3c 100644
--- a/.github/workflows/iac_plan.yaml
+++ b/.github/workflows/iac_plan.yaml
@@ -1,7 +1,12 @@
 name: plan-iac
-on: 
-  push:
+
+on:
   workflow_call:
+  workflow_run:
+    workflows: [validate-iac]
+    types:
+      - completed
+
 env:
   tf_version: '1.6.2'
   tg_version: '0.55.15'

From 982402c530ef43ab3afb3491f7236577aa0c2804 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 13:56:25 -0400
Subject: [PATCH 018/298] DJUST iac workflow triggers

---
 .github/workflows/deploy.yaml       | 0
 .github/workflows/iac_plan.yaml     | 1 +
 .github/workflows/iac_validate.yaml | 2 ++
 .github/workflows/main.yaml         | 0
 4 files changed, 3 insertions(+)
 delete mode 100644 .github/workflows/deploy.yaml
 delete mode 100644 .github/workflows/main.yaml

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
deleted file mode 100644
index e69de29bb..000000000
diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
index 3ce907f3c..feda523b5 100644
--- a/.github/workflows/iac_plan.yaml
+++ b/.github/workflows/iac_plan.yaml
@@ -20,6 +20,7 @@ permissions:
 jobs:
   plan-iac:
     runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 6e9a15c06..c8135cdb1 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -1,7 +1,9 @@
 name: validate-iac
+
 on: 
   push:
   workflow_call:
+
 env:
   tf_version: '1.6.2'
   tg_version: '0.55.15'
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
deleted file mode 100644
index e69de29bb..000000000

From 44ea6da5b74c7be0c9065ec4f59172f515d0d0be Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 14:16:09 -0400
Subject: [PATCH 019/298] add plan-iac push trigger

---
 .github/workflows/iac_plan.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
index feda523b5..a9e6af2bd 100644
--- a/.github/workflows/iac_plan.yaml
+++ b/.github/workflows/iac_plan.yaml
@@ -1,6 +1,7 @@
 name: plan-iac
 
 on:
+  push:
   workflow_call:
   workflow_run:
     workflows: [validate-iac]

From 8b8e187131ff2917a33c7f484e9b12de2ea3b2c6 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 14:18:15 -0400
Subject: [PATCH 020/298] add plan-iac push trigger

---
 .github/workflows/iac_plan.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
index a9e6af2bd..5d918a6c1 100644
--- a/.github/workflows/iac_plan.yaml
+++ b/.github/workflows/iac_plan.yaml
@@ -21,7 +21,6 @@ permissions:
 jobs:
   plan-iac:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - uses: actions/checkout@v4
 

From a6e9d7a82deee7c6b652919e254223b855fd9989 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 15:31:03 -0400
Subject: [PATCH 021/298] fixed formatting

---
 .../production/services/frontend/terragrunt.hcl             | 6 +++---
 .../stage/services/backend-service/terragrunt.hcl           | 6 +++---
 tofu/environments/stage/services/frontend/terragrunt.hcl    | 2 +-
 tofu/environments/terragrunt.hcl                            | 6 +++---
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index d90141733..fc2a1f092 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,9 +15,9 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate","destroy"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
-    id       = "mock_alb_id"
+    alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"
   }
 }
@@ -41,6 +41,6 @@ inputs = {
   region           = local.region
   tags             = local.tags
   ssl_cert         = local.ssl_cert
-  backend_id       = dependency.backend.outputs.id
+  backend_id       = dependency.backend.outputs.alb_id
   backend_dns_name = dependency.backend.outputs.dns_name
 }
\ No newline at end of file
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index 37f35f30f..76d583483 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -28,8 +28,8 @@ dependency "backend-infra" {
   mock_outputs = {
     target_group_key = "MOCK_KEY"
     log_group        = "MOCK_LOGS"
-    ecs_cluster = "MOCK_CLUSTER_ID"
-    security_group = "MOCK_SG"
+    ecs_cluster      = "MOCK_CLUSTER_ID"
+    security_group   = "MOCK_SG"
   }
 }
 
@@ -48,7 +48,7 @@ inputs = {
   subnets          = dependency.vpc.outputs.private_subnets
   log_group        = dependency.backend-infra.outputs.log_group
   target_group_arn = dependency.backend-infra.outputs.target_group_arn
-  security_group = dependency.backend-infra.outputs.security_group_id
+  security_group   = dependency.backend-infra.outputs.security_group_id
   ecs_cluster      = dependency.backend-infra.outputs.cluster_id
   tags             = local.tags
 }
\ No newline at end of file
diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
index f635ff019..7fb590f02 100644
--- a/tofu/environments/stage/services/frontend/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -17,7 +17,7 @@ dependency "backend" {
 
   mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
-    id       = "mock_alb_id"
+    alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"
   }
 }
diff --git a/tofu/environments/terragrunt.hcl b/tofu/environments/terragrunt.hcl
index 0ecf6f0dc..9fdcedf87 100644
--- a/tofu/environments/terragrunt.hcl
+++ b/tofu/environments/terragrunt.hcl
@@ -1,5 +1,5 @@
-terraform_binary = "tofu"
-terraform_version_constraint = ">= 1.6.2"
+terraform_binary              = "tofu"
+terraform_version_constraint  = ">= 1.6.2"
 terragrunt_version_constraint = ">= 0.55.15"
 
 
@@ -21,7 +21,7 @@ locals {
 generate "backend" {
   path      = "backend.tf"
   if_exists = "overwrite_terragrunt"
-  contents = <<EOF
+  contents  = <<EOF
 terraform {
   backend "s3" {
     bucket         = "tb-${local.short_name}-${local.env}-state"

From 92a576f99dfb9d556fc4450f4fe7b9c21215db52 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:16:19 -0400
Subject: [PATCH 022/298] added environment/module matrix

---
 .github/workflows/iac_apply.yaml    | 60 ++++++++++++++++++++++++++
 .github/workflows/iac_main.yaml     | 41 ++++++++++++++++++
 .github/workflows/iac_plan.yaml     | 67 -----------------------------
 .github/workflows/iac_validate.yaml | 63 ---------------------------
 .github/workflows/iac_verify.yaml   | 58 +++++++++++++++++++++++++
 5 files changed, 159 insertions(+), 130 deletions(-)
 create mode 100644 .github/workflows/iac_apply.yaml
 create mode 100644 .github/workflows/iac_main.yaml
 delete mode 100644 .github/workflows/iac_plan.yaml
 delete mode 100644 .github/workflows/iac_validate.yaml
 create mode 100644 .github/workflows/iac_verify.yaml

diff --git a/.github/workflows/iac_apply.yaml b/.github/workflows/iac_apply.yaml
new file mode 100644
index 000000000..56a8d0992
--- /dev/null
+++ b/.github/workflows/iac_apply.yaml
@@ -0,0 +1,60 @@
+name: apply-iac
+
+on: 
+  push:
+  workflow_call:
+    inputs:
+      tf_version:
+        required: true
+        type: string
+      tg_version:
+        required: true
+        type: string
+      aws_region:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+      module:
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  validate-iac:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{secrets.IAM_ROLE}}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{inputs.aws_region}}
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{inputs.tf_version}}
+          tofu_wrapper: false
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
+      - name: init
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt init
+      - name: validate
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt validate
+      - name: plan
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt plan -out tfplan
+      - name: apply
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt apply tfplan
diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
new file mode 100644
index 000000000..96a3e1e8e
--- /dev/null
+++ b/.github/workflows/iac_main.yaml
@@ -0,0 +1,41 @@
+name: IaC Main
+
+on:
+  push:
+
+env:
+  tf_version: '1.6.2'
+  tg_version: '0.55.15'
+  aws_region: us-east-1
+
+jobs:
+  verify:
+    if: github.ref != 'refs/heads/main'
+    strategy:
+      matrix:
+        environment: [stage, production]
+        module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
+    uses: ./.github/workflows/iac_verify.yaml
+    with:
+      tf_version: env.tf_version
+      tg_version: env.tg_version
+      aws_region: env.aws_region
+      environment: matrix.envrionment
+      module: matrix.module
+    secrets: inherit
+
+  apply:
+    if: github.ref == 'refs/heads/main'
+    strategy:
+      matrix:
+        environment: [stage]
+        module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
+    uses: ./.github/workflows/iac_apply.yaml
+    with:
+      tf_version: env.tf_version
+      tg_version: env.tg_version
+      aws_region: env.aws_region
+      environment: matrix.envrionment
+      module: matrix.module
+    secrets: inherit
+
diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
deleted file mode 100644
index 5d918a6c1..000000000
--- a/.github/workflows/iac_plan.yaml
+++ /dev/null
@@ -1,67 +0,0 @@
-name: plan-iac
-
-on:
-  push:
-  workflow_call:
-  workflow_run:
-    workflows: [validate-iac]
-    types:
-      - completed
-
-env:
-  tf_version: '1.6.2'
-  tg_version: '0.55.15'
-  environment: 'stage'
-  AWS_REGION: us-east-1
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  plan-iac:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.IAM_ROLE}}
-          role-session-name: GitHub_to_AWS_via_FederatedOIDC
-          aws-region: ${{ env.AWS_REGION }}
-      - name: install opentofu
-        uses: opentofu/setup-opentofu@v1
-        with: 
-          tofu_version: ${{ env.tf_version }}
-          tofu_wrapper: false
-      - name: install terragrunt
-        run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
-          sudo chmod +x /bin/terragrunt
-          terragrunt -v
-      - name: plan vpc
-        working-directory: ./tofu/environments/${{ env.environment}}/network/vpc
-        run: |
-          terragrunt init
-          terragrunt plan -out tfplan-vpc
-      - name: plan backend
-        working-directory: ./tofu/environments/${{ env.environment}}/services/backend-infra
-        run: |
-          terragrunt init
-          terragrunt plan -out tfplan-vpc
-      - name: plan cache
-        working-directory: ./tofu/environments/${{ env.environment}}/data-store/cache
-        run: |
-          terragrunt init
-          terragrunt plan -out tfplan-vpc
-      - name: plan database
-        working-directory: ./tofu/environments/${{ env.environment}}/data-store/database
-        run: |
-          terragrunt init
-          terragrunt plan -out tfplan-vpc
-      - name: plan frontend
-        working-directory: ./tofu/environments/${{ env.environment}}/services/frontend
-        run: |
-          terragrunt init
-          terragrunt plan -out tfplan-vpc
diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
deleted file mode 100644
index c8135cdb1..000000000
--- a/.github/workflows/iac_validate.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
-name: validate-iac
-
-on: 
-  push:
-  workflow_call:
-
-env:
-  tf_version: '1.6.2'
-  tg_version: '0.55.15'
-  environment: 'stage'
-  AWS_REGION: us-east-1
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  validate-iac:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.IAM_ROLE}}
-          role-session-name: GitHub_to_AWS_via_FederatedOIDC
-          aws-region: ${{ env.AWS_REGION }}
-      - name: install opentofu
-        uses: opentofu/setup-opentofu@v1
-        with: 
-          tofu_version: ${{ env.tf_version }}
-          tofu_wrapper: false
-      - name: install terragrunt
-        run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
-          sudo chmod +x /bin/terragrunt
-          terragrunt -v
-      - name: validate vpc
-        working-directory: ./tofu/environments/${{ env.environment}}/network/vpc
-        run: |
-          terragrunt init
-          terragrunt validate
-      - name: validate backend
-        working-directory: ./tofu/environments/${{ env.environment}}/services/backend-infra
-        run: |
-          terragrunt init
-          terragrunt validate
-      - name: validate cache
-        working-directory: ./tofu/environments/${{ env.environment}}/data-store/cache
-        run: |
-          terragrunt init
-          terragrunt validate
-      - name: validate database
-        working-directory: ./tofu/environments/${{ env.environment}}/data-store/database
-        run: |
-          terragrunt init
-          terragrunt validate
-      - name: validate frontend
-        working-directory: ./tofu/environments/${{ env.environment}}/services/frontend
-        run: |
-          terragrunt init
-          terragrunt validate
diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
new file mode 100644
index 000000000..516ab5ad0
--- /dev/null
+++ b/.github/workflows/iac_verify.yaml
@@ -0,0 +1,58 @@
+name: verify-iac
+
+on: 
+  push:
+  workflow_call:
+    inputs:
+      tf_version:
+        required: true
+        type: string
+      tg_version:
+        required: true
+        type: string
+      aws_region:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+      module:
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  validate-iac:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{secrets.IAM_ROLE}}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{inputs.aws_region}}
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{inputs.tf_version}}
+          tofu_wrapper: false
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
+      - name: init
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt init
+      - name: validate
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt validate
+      - name: plan
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt plan
+

From 738c6b915e07208b165507d9226dad501773ab63 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:17:36 -0400
Subject: [PATCH 023/298] removed push trigger from resuable jobs

---
 .github/workflows/iac_apply.yaml  | 1 -
 .github/workflows/iac_verify.yaml | 1 -
 2 files changed, 2 deletions(-)

diff --git a/.github/workflows/iac_apply.yaml b/.github/workflows/iac_apply.yaml
index 56a8d0992..b0ca4c967 100644
--- a/.github/workflows/iac_apply.yaml
+++ b/.github/workflows/iac_apply.yaml
@@ -1,7 +1,6 @@
 name: apply-iac
 
 on: 
-  push:
   workflow_call:
     inputs:
       tf_version:
diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
index 516ab5ad0..2f8376b02 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/iac_verify.yaml
@@ -1,7 +1,6 @@
 name: verify-iac
 
 on: 
-  push:
   workflow_call:
     inputs:
       tf_version:

From 49b4ea6bff0ebefa29290517b8b70c168a642870 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:25:17 -0400
Subject: [PATCH 024/298] corrected env syntax

---
 .github/workflows/iac_main.yaml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 96a3e1e8e..6624a96a3 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -17,11 +17,11 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_verify.yaml
     with:
-      tf_version: env.tf_version
-      tg_version: env.tg_version
-      aws_region: env.aws_region
-      environment: matrix.envrionment
-      module: matrix.module
+      tf_version: $tf_version
+      tg_version: $tg_version
+      aws_region: $env.aws_region
+      environment: ${{ matrix.environment }}
+      module: ${{ matrix.module }}
     secrets: inherit
 
   apply:
@@ -32,10 +32,10 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_apply.yaml
     with:
-      tf_version: env.tf_version
-      tg_version: env.tg_version
-      aws_region: env.aws_region
-      environment: matrix.envrionment
-      module: matrix.module
+      tf_version: $tf_version
+      tg_version: $tg_version
+      aws_region: $env.aws_region
+      environment: ${{ matrix.environment }}
+      module: ${{ matrix.module }}
     secrets: inherit
 

From 4c437bcda6a827fe910b9418f0e547c184c25e87 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:26:16 -0400
Subject: [PATCH 025/298] re-corrected env syntax

---
 .github/workflows/iac_main.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 6624a96a3..fbe7a99bb 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -19,7 +19,7 @@ jobs:
     with:
       tf_version: $tf_version
       tg_version: $tg_version
-      aws_region: $env.aws_region
+      aws_region: $aws_region
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit
@@ -34,7 +34,7 @@ jobs:
     with:
       tf_version: $tf_version
       tg_version: $tg_version
-      aws_region: $env.aws_region
+      aws_region: $aws_region
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit

From f2d3632b6fc18fc9da6a9eba0b0be6a937da8bc1 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:32:05 -0400
Subject: [PATCH 026/298] re-corrected env syntax again

---
 .github/workflows/iac_main.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index fbe7a99bb..0c4a8df45 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -17,9 +17,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_verify.yaml
     with:
-      tf_version: $tf_version
-      tg_version: $tg_version
-      aws_region: $aws_region
+      tf_version: '$tf_version'
+      tg_version: '$tg_version'
+      aws_region: '$aws_region'
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit
@@ -32,9 +32,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_apply.yaml
     with:
-      tf_version: $tf_version
-      tg_version: $tg_version
-      aws_region: $aws_region
+      tf_version: '$tf_version'
+      tg_version: '$tg_version'
+      aws_region: '$aws_region'
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit

From 4aba4603855841dad424480c1f5f08562c784898 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:56:21 -0400
Subject: [PATCH 027/298] testing using env in job block

---
 .github/workflows/iac_main.yaml | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 0c4a8df45..821b04a5a 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -1,14 +1,29 @@
 name: IaC Main
 
+concurrency:
+  group: iac
+  cancel-in-progress: true
+
 on:
   push:
 
+permissions:
+  id-token: write
+  contents: read
+
 env:
-  tf_version: '1.6.2'
-  tg_version: '0.55.15'
-  aws_region: us-east-1
+  TF_VERSION: '1.6.2'
+  TG_VERSION: '0.55.15'
+  AWS_REGION: us-east-1
 
 jobs:
+  dummy:
+    runs-on: ubuntu/latest
+    steps:
+      - name: some crap
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{env.AWS_REGION }}
   verify:
     if: github.ref != 'refs/heads/main'
     strategy:
@@ -17,9 +32,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_verify.yaml
     with:
-      tf_version: '$tf_version'
-      tg_version: '$tg_version'
-      aws_region: '$aws_region'
+      tf_version: ${{ env.TF_VERSION }}
+      tg_version: ${{ env.TG_VERSION }}
+      aws_region: ${{ env.AWS_REGION }}
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit
@@ -32,9 +47,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_apply.yaml
     with:
-      tf_version: '$tf_version'
-      tg_version: '$tg_version'
-      aws_region: '$aws_region'
+      tf_version: ${{ env.TF_VERSION }}
+      tg_version: ${{ env.TG_VERSION }}
+      aws_region: ${{ env.AWS_REGION }}
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit

From 7741d3d367d1954df10990542dd4c2e0a05f1baf Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:01:49 -0400
Subject: [PATCH 028/298] hardcoded workaround for env context issue

---
 .github/workflows/iac_main.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 821b04a5a..31045226a 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -32,9 +32,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_verify.yaml
     with:
-      tf_version: ${{ env.TF_VERSION }}
-      tg_version: ${{ env.TG_VERSION }}
-      aws_region: ${{ env.AWS_REGION }}
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit
@@ -47,9 +47,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_apply.yaml
     with:
-      tf_version: ${{ env.TF_VERSION }}
-      tg_version: ${{ env.TG_VERSION }}
-      aws_region: ${{ env.AWS_REGION }}
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit

From aa876c5ec36ab07b016f1deb93bb58ecbd83b593 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:04:20 -0400
Subject: [PATCH 029/298] missed updating one input in called workflows

---
 .github/workflows/iac_apply.yaml  | 2 +-
 .github/workflows/iac_main.yaml   | 7 -------
 .github/workflows/iac_verify.yaml | 2 +-
 3 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/iac_apply.yaml b/.github/workflows/iac_apply.yaml
index b0ca4c967..b97e2f6fb 100644
--- a/.github/workflows/iac_apply.yaml
+++ b/.github/workflows/iac_apply.yaml
@@ -42,7 +42,7 @@ jobs:
           tofu_wrapper: false
       - name: install terragrunt
         run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
       - name: init
diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 31045226a..d29f24351 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -17,13 +17,6 @@ env:
   AWS_REGION: us-east-1
 
 jobs:
-  dummy:
-    runs-on: ubuntu/latest
-    steps:
-      - name: some crap
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: ${{env.AWS_REGION }}
   verify:
     if: github.ref != 'refs/heads/main'
     strategy:
diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
index 2f8376b02..46207ed34 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/iac_verify.yaml
@@ -42,7 +42,7 @@ jobs:
           tofu_wrapper: false
       - name: install terragrunt
         run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
       - name: init

From 2947c88dfec686195fc554cd53444908be553b5f Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:15:23 -0400
Subject: [PATCH 030/298] run all steps on a single runner

---
 .github/workflows/iac_apply.yaml  | 50 +++++++++++++++++++++----------
 .github/workflows/iac_main.yaml   |  4 ---
 .github/workflows/iac_verify.yaml | 43 ++++++++++++++++++--------
 3 files changed, 65 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/iac_apply.yaml b/.github/workflows/iac_apply.yaml
index b97e2f6fb..9927aae6f 100644
--- a/.github/workflows/iac_apply.yaml
+++ b/.github/workflows/iac_apply.yaml
@@ -15,9 +15,6 @@ on:
       environment:
         required: true
         type: string
-      module:
-        required: true
-        type: string
 
 permissions:
   id-token: write
@@ -45,15 +42,38 @@ jobs:
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
-      - name: init
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt init
-      - name: validate
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt validate
-      - name: plan
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt plan -out tfplan
-      - name: apply
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt apply tfplan
+      - name: vpc
+        working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan tfplan
+          terragrunt apply tfplan
+      - name: backend-infra
+        working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+          terragrunt apply tfplan
+      - name: cache
+        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+          terragrunt apply tfplan
+      - name: database
+        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+          terragrunt apply tfplan
+      - name: frontend
+        working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+          terragrunt apply tfplan
diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index d29f24351..a242ea19c 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -22,14 +22,12 @@ jobs:
     strategy:
       matrix:
         environment: [stage, production]
-        module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_verify.yaml
     with:
       tf_version: 1.6.2
       tg_version: 0.55.15
       aws_region: us-east-1
       environment: ${{ matrix.environment }}
-      module: ${{ matrix.module }}
     secrets: inherit
 
   apply:
@@ -37,13 +35,11 @@ jobs:
     strategy:
       matrix:
         environment: [stage]
-        module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_apply.yaml
     with:
       tf_version: 1.6.2
       tg_version: 0.55.15
       aws_region: us-east-1
       environment: ${{ matrix.environment }}
-      module: ${{ matrix.module }}
     secrets: inherit
 
diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
index 46207ed34..85dd1f196 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/iac_verify.yaml
@@ -15,9 +15,6 @@ on:
       environment:
         required: true
         type: string
-      module:
-        required: true
-        type: string
 
 permissions:
   id-token: write
@@ -45,13 +42,33 @@ jobs:
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
-      - name: init
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt init
-      - name: validate
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt validate
-      - name: plan
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt plan
-
+      - name: vpc
+        working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+      - name: backend-infra
+        working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+      - name: cache
+        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+      - name: database
+        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+      - name: frontend
+        working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan

From e8a9be9181c42ac0569a4b2f05ceff70c8be939b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:26:34 -0400
Subject: [PATCH 031/298] add max parallel constraints to matrix to avoid
 concurrency issues

---
 .github/workflows/iac_main.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index a242ea19c..3a81b0b62 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -20,6 +20,7 @@ jobs:
   verify:
     if: github.ref != 'refs/heads/main'
     strategy:
+      max-parallel: 1
       matrix:
         environment: [stage, production]
     uses: ./.github/workflows/iac_verify.yaml
@@ -33,6 +34,7 @@ jobs:
   apply:
     if: github.ref == 'refs/heads/main'
     strategy:
+      max-parallel: 1
       matrix:
         environment: [stage]
     uses: ./.github/workflows/iac_apply.yaml

From 70b1476c7642c9ef50bd90097000b50a21f02f00 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:33:17 -0400
Subject: [PATCH 032/298] corrected backedn-infra dependency issue

---
 .../production/services/backend-infra/terragrunt.hcl            | 2 +-
 tofu/environments/stage/services/backend-infra/terragrunt.hcl   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index 4e84c4c63..747712f1e 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []
diff --git a/tofu/environments/stage/services/backend-infra/terragrunt.hcl b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
index 4e84c4c63..7f946f4f0 100644
--- a/tofu/environments/stage/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init, "validate"]
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []

From e12825746a34c28ba6dc9f8d920d6df459024416 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:35:13 -0400
Subject: [PATCH 033/298] corrected typo

---
 tofu/environments/stage/services/backend-infra/terragrunt.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/stage/services/backend-infra/terragrunt.hcl b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
index 7f946f4f0..747712f1e 100644
--- a/tofu/environments/stage/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init, "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []

From c47d017b25b6080aa0272b508a896ba34ce5d5da Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:42:53 -0400
Subject: [PATCH 034/298] dependency issue in backend-infra

---
 .../production/services/backend-infra/terragrunt.hcl             | 1 +
 tofu/environments/stage/services/backend-infra/terragrunt.hcl    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index 747712f1e..b67cfe467 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -19,6 +19,7 @@ dependency "vpc" {
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []
+    private_subnets                 = []
     ecr_endpoint_security_group     = "mock_sg"
     secrets_endpoint_security_group = "mock_sg"
     logs_endpoint_security_group    = "mock_sg"
diff --git a/tofu/environments/stage/services/backend-infra/terragrunt.hcl b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
index 747712f1e..b67cfe467 100644
--- a/tofu/environments/stage/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
@@ -19,6 +19,7 @@ dependency "vpc" {
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []
+    private_subnets                 = []
     ecr_endpoint_security_group     = "mock_sg"
     secrets_endpoint_security_group = "mock_sg"
     logs_endpoint_security_group    = "mock_sg"

From 1f15877061792121fd6e0270856c3290b38ebc4f Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:52:07 -0400
Subject: [PATCH 035/298] add continue-on-error to actions validation job

---
 .github/workflows/iac_verify.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
index 85dd1f196..b7f7de9a9 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/iac_verify.yaml
@@ -44,30 +44,35 @@ jobs:
           terragrunt -v
       - name: vpc
         working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
+        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate
           terragrunt plan
       - name: backend-infra
         working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
+        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate
           terragrunt plan
       - name: cache
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
+        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate
           terragrunt plan
       - name: database
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
+        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate
           terragrunt plan
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
+        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate

From 8173b94d7f6c3b810654dd0dbe62def6df34ad85 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 11:39:29 -0400
Subject: [PATCH 036/298] added init support for dependency mock outputs

---
 .github/workflows/iac_verify.yaml                           | 1 -
 .../environments/production/data-store/cache/terragrunt.hcl | 4 ++--
 .../production/data-store/database/terragrunt.hcl           | 6 +++---
 .../production/services/backend-infra/terragrunt.hcl        | 2 +-
 .../production/services/frontend/terragrunt.hcl             | 2 +-
 tofu/environments/stage/data-store/cache/terragrunt.hcl     | 4 ++--
 tofu/environments/stage/data-store/database/terragrunt.hcl  | 6 +++---
 .../stage/services/backend-infra/terragrunt.hcl             | 2 +-
 tofu/environments/stage/services/frontend/terragrunt.hcl    | 2 +-
 9 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
index b7f7de9a9..cfb17d84e 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/iac_verify.yaml
@@ -72,7 +72,6 @@ jobs:
           terragrunt plan
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
-        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate
diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index a5221540a..88846d68a 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
     subnets                = []
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index 082ef325d..35355f36d 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
     subnets                = []
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "cache" {
   config_path = "../cache"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
@@ -35,7 +35,7 @@ dependency "cache" {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }
diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index b67cfe467..5ed033407 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index fc2a1f092..71af8f1bb 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"
diff --git a/tofu/environments/stage/data-store/cache/terragrunt.hcl b/tofu/environments/stage/data-store/cache/terragrunt.hcl
index a5221540a..88846d68a 100644
--- a/tofu/environments/stage/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/cache/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
     subnets                = []
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
diff --git a/tofu/environments/stage/data-store/database/terragrunt.hcl b/tofu/environments/stage/data-store/database/terragrunt.hcl
index 9b01cb4b6..436f1280d 100644
--- a/tofu/environments/stage/data-store/database/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/database/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
     subnets                = []
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "cache" {
   config_path = "../cache"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
@@ -35,7 +35,7 @@ dependency "cache" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }
diff --git a/tofu/environments/stage/services/backend-infra/terragrunt.hcl b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
index b67cfe467..5ed033407 100644
--- a/tofu/environments/stage/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []
diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
index 7fb590f02..12967aacb 100644
--- a/tofu/environments/stage/services/frontend/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"

From e0cb440de06bc8da07d86fd923eb443f56c4815d Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 12:23:25 -0400
Subject: [PATCH 037/298] corrected production module path

---
 tofu/environments/production/services/frontend/terragrunt.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index 71af8f1bb..12967aacb 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -13,7 +13,7 @@ terraform {
 }
 
 dependency "backend" {
-  config_path = "../../services/backend"
+  config_path = "../../services/backend-infra"
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {

From 83063273542bdb7f33e3d5b6b2ed9f8ee7d7331b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 12:40:46 -0400
Subject: [PATCH 038/298] further dependency correction

---
 .../production/data-store/cache/terragrunt.hcl             | 2 +-
 .../production/data-store/database/terragrunt.hcl          | 7 +++----
 .../production/services/frontend/terragrunt.hcl            | 2 +-
 tofu/environments/stage/data-store/cache/terragrunt.hcl    | 2 +-
 tofu/environments/stage/data-store/database/terragrunt.hcl | 6 +++---
 tofu/environments/stage/services/frontend/terragrunt.hcl   | 2 +-
 6 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index 88846d68a..d843fc7aa 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -18,7 +18,7 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
-    subnets                = []
+    database_subnets       = []
     source_security_groups = []
   }
 }
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index 35355f36d..fc1f652ce 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -17,9 +17,8 @@ dependency "vpc" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
-    vpc_id                 = "mock_vpc_id"
-    subnets                = []
-    source_security_groups = []
+    vpc_id                = "mock_vpc_id"
+    database_subnet_group = "mock_subnet_group"
   }
 }
 
@@ -33,7 +32,7 @@ dependency "cache" {
 }
 
 dependency "backend" {
-  config_path = "../../services/backend"
+  config_path = "../../services/backend-infra"
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index 12967aacb..84087e74b 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"
diff --git a/tofu/environments/stage/data-store/cache/terragrunt.hcl b/tofu/environments/stage/data-store/cache/terragrunt.hcl
index 88846d68a..d843fc7aa 100644
--- a/tofu/environments/stage/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/cache/terragrunt.hcl
@@ -18,7 +18,7 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
-    subnets                = []
+    database_subnets       = []
     source_security_groups = []
   }
 }
diff --git a/tofu/environments/stage/data-store/database/terragrunt.hcl b/tofu/environments/stage/data-store/database/terragrunt.hcl
index 436f1280d..4b376f9b9 100644
--- a/tofu/environments/stage/data-store/database/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/database/terragrunt.hcl
@@ -17,9 +17,9 @@ dependency "vpc" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
-    vpc_id                 = "mock_vpc_id"
-    subnets                = []
-    source_security_groups = []
+    vpc_id                = "mock_vpc_id"
+    database_subnet_group = "mock_subnet_group"
+
   }
 }
 
diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
index 12967aacb..84087e74b 100644
--- a/tofu/environments/stage/services/frontend/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"

From 3c3d2ce85e40326671aef7e84838e8cb720b6ead Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 12:52:58 -0400
Subject: [PATCH 039/298] further dependency resolution

---
 tofu/environments/production/data-store/cache/terragrunt.hcl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index d843fc7aa..59d3a0225 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -18,8 +18,8 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
-    database_subnets       = []
-    source_security_groups = []
+    database_subnets       = ["subnet-mocksubnet1234567"]
+    source_security_groups = ["sg-mocksecuritygroup"]
   }
 }
 

From b75b183ab66b58b11811d5b808a59e2d79f78598 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 12:58:28 -0400
Subject: [PATCH 040/298] further dependency resolution

---
 .../environments/production/data-store/cache/terragrunt.hcl | 2 +-
 .../production/data-store/database/terragrunt.hcl           | 4 ++--
 tofu/environments/stage/data-store/cache/terragrunt.hcl     | 6 +++---
 tofu/environments/stage/data-store/database/terragrunt.hcl  | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index 59d3a0225..831bd4feb 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
     database_subnets       = ["subnet-mocksubnet1234567"]
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index fc1f652ce..6a8a0a46a 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                = "mock_vpc_id"
     database_subnet_group = "mock_subnet_group"
@@ -34,7 +34,7 @@ dependency "cache" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }
diff --git a/tofu/environments/stage/data-store/cache/terragrunt.hcl b/tofu/environments/stage/data-store/cache/terragrunt.hcl
index d843fc7aa..831bd4feb 100644
--- a/tofu/environments/stage/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/cache/terragrunt.hcl
@@ -15,11 +15,11 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
-    database_subnets       = []
-    source_security_groups = []
+    database_subnets       = ["subnet-mocksubnet1234567"]
+    source_security_groups = ["sg-mocksecuritygroup"]
   }
 }
 
diff --git a/tofu/environments/stage/data-store/database/terragrunt.hcl b/tofu/environments/stage/data-store/database/terragrunt.hcl
index 4b376f9b9..2a11075fe 100644
--- a/tofu/environments/stage/data-store/database/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/database/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                = "mock_vpc_id"
     database_subnet_group = "mock_subnet_group"
@@ -35,7 +35,7 @@ dependency "cache" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }

From 1f7269ea14ae438e3a14e1c11f3baa49174b7745 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 13:04:34 -0400
Subject: [PATCH 041/298] further dependency resolution

---
 tofu/environments/production/data-store/cache/terragrunt.hcl | 2 +-
 tofu/environments/stage/data-store/cache/terragrunt.hcl      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index 831bd4feb..086987807 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
diff --git a/tofu/environments/stage/data-store/cache/terragrunt.hcl b/tofu/environments/stage/data-store/cache/terragrunt.hcl
index 831bd4feb..086987807 100644
--- a/tofu/environments/stage/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/cache/terragrunt.hcl
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }

From 257dc8d2391cdd0caa6987a4a2d45354bb6f9639 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 13:52:05 -0400
Subject: [PATCH 042/298] narrowed path triggers for iac workflows

---
 .github/workflows/iac_main.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 3a81b0b62..75bf42bb6 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -6,6 +6,10 @@ concurrency:
 
 on:
   push:
+    paths:
+      - tofu/environments/**
+      - tofu/modules/**
+      - .github/workflows/*
 
 permissions:
   id-token: write

From 6c9d5ec534ae788433db6b3aae0d4303ceed9071 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 14:20:37 -0400
Subject: [PATCH 043/298] adjusting job conditional logic

---
 .github/workflows/iac_main.yaml | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 75bf42bb6..d931e22b8 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -6,10 +6,6 @@ concurrency:
 
 on:
   push:
-    paths:
-      - tofu/environments/**
-      - tofu/modules/**
-      - .github/workflows/*
 
 permissions:
   id-token: write
@@ -21,8 +17,23 @@ env:
   AWS_REGION: us-east-1
 
 jobs:
+  iac-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      run-iac: ${{ steps.check.outputs.run-iac }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/paths-filter@v3
+        id: check
+        with:
+          filters: |
+            run-iac:
+              - 'tofu/**'
+              - '.github/workflows/**'
+
   verify:
-    if: github.ref != 'refs/heads/main'
+    needs: iac-changes
+    if: github.ref != 'refs/heads/main' && needs.iac-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -36,7 +47,8 @@ jobs:
     secrets: inherit
 
   apply:
-    if: github.ref == 'refs/heads/main'
+    needs: iac-changes
+    if: github.ref == 'refs/heads/main' && needs.iac-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:

From 3d73450e288b7dd21feb81a434feaaa29b44bf1c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 08:41:35 -0400
Subject: [PATCH 044/298] restructured actions & added backend-service

---
 tofu/modules/services/backend-service/main.tf      | 2 +-
 tofu/modules/services/backend-service/variables.tf | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index 359106194..ec92a4ba3 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -35,7 +35,7 @@ resource "aws_ecs_task_definition" "backend" {
   container_definitions = jsonencode([
     {
       name      = "backend"
-      image     = "backend-latest"
+      image     = var.image
       cpu       = 0
       essential = true
       portMappings = [
diff --git a/tofu/modules/services/backend-service/variables.tf b/tofu/modules/services/backend-service/variables.tf
index da18e1a6c..5a501953e 100644
--- a/tofu/modules/services/backend-service/variables.tf
+++ b/tofu/modules/services/backend-service/variables.tf
@@ -36,4 +36,9 @@ variable "ecs_cluster" {
 variable "security_group" {
   description = "Backend security group"
   type = string
+}
+
+variable "image" {
+  description = "Backend Docker image"
+  type = string
 }
\ No newline at end of file

From 525da72ec959a9d51a159975297aa5a4eb2717d5 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 08:48:13 -0400
Subject: [PATCH 045/298] added backend-service verify

---
 .../{iac_apply.yaml => apply-iac.yaml}        |  7 ++
 .github/workflows/aws.yml                     | 75 ---------------
 .../workflows/{ci-tests.yml => ci-tests.yaml} | 12 ++-
 .github/workflows/deploy-backend.yaml         | 87 +++++++++++++++++
 .github/workflows/deploy-frontend.yaml        |  0
 .github/workflows/iac_main.yaml               | 63 -------------
 .github/workflows/primary.yaml                | 94 +++++++++++++++++++
 .github/workflows/verify-backend.yaml         | 87 +++++++++++++++++
 .../{iac_verify.yaml => verify-iac.yaml}      |  7 ++
 9 files changed, 290 insertions(+), 142 deletions(-)
 rename .github/workflows/{iac_apply.yaml => apply-iac.yaml} (99%)
 delete mode 100644 .github/workflows/aws.yml
 rename .github/workflows/{ci-tests.yml => ci-tests.yaml} (93%)
 create mode 100644 .github/workflows/deploy-backend.yaml
 create mode 100644 .github/workflows/deploy-frontend.yaml
 delete mode 100644 .github/workflows/iac_main.yaml
 create mode 100644 .github/workflows/primary.yaml
 create mode 100644 .github/workflows/verify-backend.yaml
 rename .github/workflows/{iac_verify.yaml => verify-iac.yaml} (99%)

diff --git a/.github/workflows/iac_apply.yaml b/.github/workflows/apply-iac.yaml
similarity index 99%
rename from .github/workflows/iac_apply.yaml
rename to .github/workflows/apply-iac.yaml
index 9927aae6f..f531f3c02 100644
--- a/.github/workflows/iac_apply.yaml
+++ b/.github/workflows/apply-iac.yaml
@@ -32,16 +32,19 @@ jobs:
           role-to-assume: ${{secrets.IAM_ROLE}}
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{inputs.aws_region}}
+
       - name: install opentofu
         uses: opentofu/setup-opentofu@v1
         with: 
           tofu_version: ${{inputs.tf_version}}
           tofu_wrapper: false
+
       - name: install terragrunt
         run: |
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
+
       - name: vpc
         working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
         run: |
@@ -49,6 +52,7 @@ jobs:
           terragrunt validate
           terragrunt plan tfplan
           terragrunt apply tfplan
+
       - name: backend-infra
         working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
         run: |
@@ -56,6 +60,7 @@ jobs:
           terragrunt validate
           terragrunt plan
           terragrunt apply tfplan
+
       - name: cache
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
         run: |
@@ -63,6 +68,7 @@ jobs:
           terragrunt validate
           terragrunt plan
           terragrunt apply tfplan
+
       - name: database
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
         run: |
@@ -70,6 +76,7 @@ jobs:
           terragrunt validate
           terragrunt plan
           terragrunt apply tfplan
+          
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
         run: |
diff --git a/.github/workflows/aws.yml b/.github/workflows/aws.yml
deleted file mode 100644
index 8fff6b17d..000000000
--- a/.github/workflows/aws.yml
+++ /dev/null
@@ -1,75 +0,0 @@
-# This workflow will build and push a new container image to Amazon ECR,
-# and then will deploy a new task definition to Amazon ECS, when there is a push to the "staging" branch.
-
-name: Deploy to Stage Environment
-
-# Stop any pending jobs
-concurrency:
-  group: staging
-  cancel-in-progress: true
-
-on:
-  push:
-    branches: [ "stage" ]
-
-env:
-  AWS_REGION: us-east-1
-  ECR_REPOSITORY: appointments
-  ECS_SERVICE: appointments-service
-  ECS_CLUSTER: appointments
-  ECS_TASK_DEFINITION: .aws/task-definition.json
-
-  CONTAINER_FRONTEND: frontend
-  CONTAINER_BACKEND: backend
-
-permissions:
-  contents: read
-
-jobs:
-  deploy:
-    name: Build & Deploy
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v3
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v1
-      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        aws-region: ${{ env.AWS_REGION }}
-
-    - name: Login to Amazon ECR
-      id: login-ecr
-      uses: aws-actions/amazon-ecr-login@v2
-      with:
-        mask-password: 'true'
-
-    - name: Build, tag, and push backend image to Amazon ECR
-      id: build-backend
-      env:
-        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        IMAGE_TAG: backend-${{ github.sha }}
-      run: |
-        # Build a docker container and
-        # push it to ECR so that it can
-        # be deployed to ECS.
-        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
-        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
-
-    - name: Fill in the new backend image ID in the Amazon ECS task definition
-      id: task-def-backend
-      uses: aws-actions/amazon-ecs-render-task-definition@v1
-      with:
-        task-definition: ${{ env.ECS_TASK_DEFINITION }}
-        container-name: ${{ env.CONTAINER_BACKEND }}
-        image: ${{ steps.build-backend.outputs.image_backend }}
-        environment-variables: "RELEASE_VERSION=${{ github.sha }}"
-
-    - name: Deploy Amazon ECS task definition
-      uses: aws-actions/amazon-ecs-deploy-task-definition@v1
-      with:
-        task-definition: ${{ steps.task-def-backend.outputs.task-definition }}
diff --git a/.github/workflows/ci-tests.yml b/.github/workflows/ci-tests.yaml
similarity index 93%
rename from .github/workflows/ci-tests.yml
rename to .github/workflows/ci-tests.yaml
index 89cd424ab..29251fc31 100644
--- a/.github/workflows/ci-tests.yml
+++ b/.github/workflows/ci-tests.yaml
@@ -3,10 +3,7 @@
 name: Run Tests
 
 on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
+  workflow_call:
 
 permissions:
   contents: read
@@ -17,33 +14,40 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
         python-version: '3.11'
         cache: 'pip'
+
     - name: Install dependencies
       run: |
         cd ./backend
         python -m pip install --upgrade pip
         python -m pip install .'[test]'
+
     - name: Test with pytest
       run: |
         cd ./backend && python -m pytest
+
   vitest:
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v4
+
     - uses: actions/setup-node@v4
       with:
         node-version: 18
         cache: 'yarn'
         cache-dependency-path: 'frontend/yarn.lock'
+
     - name: Install dependencies
       run: |
         cd ./frontend
         yarn install
+        
     - name: Test with vitest
       run: |
         cd ./frontend && yarn test --run
diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
new file mode 100644
index 000000000..38e93d2dc
--- /dev/null
+++ b/.github/workflows/deploy-backend.yaml
@@ -0,0 +1,87 @@
+name: Deploy Backend
+
+# Stop any pending jobs
+concurrency:
+  group: backend
+  cancel-in-progress: true
+
+on:
+  workflow_call:
+    inputs:
+      tf_version:
+        required: true
+        type: string
+      tg_version:
+        required: true
+        type: string
+      aws_region:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+
+env:
+  AWS_REGION: us-east-1
+  ECR_REPOSITORY: appointments
+  ECS_SERVICE: appointments-service
+  ECS_CLUSTER: appointments
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy-backend:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{secrets.IAM_ROLE}}
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{inputs.aws_region}}
+
+    - name: install opentofu
+      uses: opentofu/setup-opentofu@v1
+      with: 
+        tofu_version: ${{inputs.tf_version}}
+        tofu_wrapper: false
+
+    - name: install terragrunt
+      run: |
+        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
+        sudo chmod +x /bin/terragrunt
+        terragrunt -v
+
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+      with:
+        mask-password: 'true'
+
+    - name: Build, tag, and push backend image to Amazon ECR
+      id: build-backend
+      env:
+        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        IMAGE_TAG: backend-${{ github.sha }}
+      run: |
+        # Build a docker container and
+        # push it to ECR so that it can
+        # be deployed to ECS.
+        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+    - name: backend-service
+      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
+      run: |
+        terragrunt init
+        terragrunt validate
+        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}'
+        terragrunt apply tfplan
+
diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
new file mode 100644
index 000000000..e69de29bb
diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
deleted file mode 100644
index d931e22b8..000000000
--- a/.github/workflows/iac_main.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
-name: IaC Main
-
-concurrency:
-  group: iac
-  cancel-in-progress: true
-
-on:
-  push:
-
-permissions:
-  id-token: write
-  contents: read
-
-env:
-  TF_VERSION: '1.6.2'
-  TG_VERSION: '0.55.15'
-  AWS_REGION: us-east-1
-
-jobs:
-  iac-changes:
-    runs-on: ubuntu-latest
-    outputs:
-      run-iac: ${{ steps.check.outputs.run-iac }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3
-        id: check
-        with:
-          filters: |
-            run-iac:
-              - 'tofu/**'
-              - '.github/workflows/**'
-
-  verify:
-    needs: iac-changes
-    if: github.ref != 'refs/heads/main' && needs.iac-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage, production]
-    uses: ./.github/workflows/iac_verify.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  apply:
-    needs: iac-changes
-    if: github.ref == 'refs/heads/main' && needs.iac-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage]
-    uses: ./.github/workflows/iac_apply.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
new file mode 100644
index 000000000..9e02ecbdf
--- /dev/null
+++ b/.github/workflows/primary.yaml
@@ -0,0 +1,94 @@
+name: Primary Workflow
+
+concurrency:
+  group: iac
+  cancel-in-progress: true
+
+on:
+  push:
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  TF_VERSION: '1.6.2'
+  TG_VERSION: '0.55.15'
+  AWS_REGION: us-east-1
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      run-iac: ${{ steps.check.outputs.run-iac }}
+      run-backend: ${{ steps.check.outputs.run-backend }}
+      run-frontend: ${{ steps.check.outputs.run-frontend }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dorny/paths-filter@v3
+        id: check
+        with:
+          filters: |
+            run-iac:
+              - 'tofu/**'
+              - '.github/workflows/**'
+            run-backend:
+              - 'backend/**'
+            run-frontend:
+              - 'frontend/**'
+
+  verify-iac:
+    needs: detect-changes
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    strategy:
+      max-parallel: 1
+      matrix:
+        environment: [stage, production]
+    uses: ./.github/workflows/verify-iac.yaml
+    with:
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
+      environment: ${{ matrix.environment }}
+    secrets: inherit
+
+  apply-iac:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    strategy:
+      max-parallel: 1
+      matrix:
+        environment: [stage]
+    uses: ./.github/workflows/apply-iac.yaml
+    with:
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
+      environment: ${{ matrix.environment }}
+    secrets: inherit
+
+  ci-tests:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
+    uses: ./.github/workflows/ci-tests.yaml
+
+  deploy-backend:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
+    strategy:
+      max-parallel: 1
+      matrix:
+        environment: [stage]
+    uses: ./.github/workflows/deploy-backend.yaml
+    with:
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
+      environment: ${{ matrix.environment }}
+    secrets: inherit
+
+  deploy-frontend:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    uses: ./.github/workflows/deploy-frontend.yaml
\ No newline at end of file
diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
new file mode 100644
index 000000000..00e8a6cf3
--- /dev/null
+++ b/.github/workflows/verify-backend.yaml
@@ -0,0 +1,87 @@
+name: Deploy Backend
+
+# Stop any pending jobs
+concurrency:
+  group: backend
+  cancel-in-progress: true
+
+on:
+  workflow_call:
+    inputs:
+      tf_version:
+        required: true
+        type: string
+      tg_version:
+        required: true
+        type: string
+      aws_region:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+
+env:
+  AWS_REGION: us-east-1
+  ECR_REPOSITORY: appointments
+  ECS_SERVICE: appointments-service
+  ECS_CLUSTER: appointments
+  IMAGE: dummyimagename
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy-backend:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{secrets.IAM_ROLE}}
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{inputs.aws_region}}
+
+    - name: install opentofu
+      uses: opentofu/setup-opentofu@v1
+      with: 
+        tofu_version: ${{inputs.tf_version}}
+        tofu_wrapper: false
+
+    - name: install terragrunt
+      run: |
+        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
+        sudo chmod +x /bin/terragrunt
+        terragrunt -v
+
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+      with:
+        mask-password: 'true'
+
+    - name: Build, tag, and push backend image to Amazon ECR
+      id: build-backend
+      env:
+        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        IMAGE_TAG: backend-${{ github.sha }}
+      run: |
+        # Build a docker container and
+        # push it to ECR so that it can
+        # be deployed to ECS.
+        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+    - name: backend-service
+      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
+      run: |
+        terragrunt init
+        terragrunt validate
+        terragrunt plan -var 'image=$IMAGE'
+
diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/verify-iac.yaml
similarity index 99%
rename from .github/workflows/iac_verify.yaml
rename to .github/workflows/verify-iac.yaml
index cfb17d84e..fe1767803 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/verify-iac.yaml
@@ -32,16 +32,19 @@ jobs:
           role-to-assume: ${{secrets.IAM_ROLE}}
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{inputs.aws_region}}
+
       - name: install opentofu
         uses: opentofu/setup-opentofu@v1
         with: 
           tofu_version: ${{inputs.tf_version}}
           tofu_wrapper: false
+
       - name: install terragrunt
         run: |
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
+
       - name: vpc
         working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
         continue-on-error: true
@@ -49,6 +52,7 @@ jobs:
           terragrunt init
           terragrunt validate
           terragrunt plan
+
       - name: backend-infra
         working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
         continue-on-error: true
@@ -56,6 +60,7 @@ jobs:
           terragrunt init
           terragrunt validate
           terragrunt plan
+
       - name: cache
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
         continue-on-error: true
@@ -63,6 +68,7 @@ jobs:
           terragrunt init
           terragrunt validate
           terragrunt plan
+
       - name: database
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
         continue-on-error: true
@@ -70,6 +76,7 @@ jobs:
           terragrunt init
           terragrunt validate
           terragrunt plan
+          
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
         run: |

From 1d0f1cc661d9b634942b80311d03f7242582d95a Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 08:50:58 -0400
Subject: [PATCH 046/298] testing primary action

---
 .aws/task-definition.json      | 195 ---------------------------------
 .github/workflows/primary.yaml |   4 -
 2 files changed, 199 deletions(-)
 delete mode 100644 .aws/task-definition.json

diff --git a/.aws/task-definition.json b/.aws/task-definition.json
deleted file mode 100644
index 72a9fc211..000000000
--- a/.aws/task-definition.json
+++ /dev/null
@@ -1,195 +0,0 @@
-{
-    "taskDefinitionArn": "arn:aws:ecs:us-east-1:768512802988:task-definition/appointments-definition:24",
-    "containerDefinitions": [
-        {
-            "name": "backend",
-            "image": "backend-latest",
-            "cpu": 0,
-            "portMappings": [
-                {
-                    "name": "backend-5000-tcp",
-                    "containerPort": 5000,
-                    "hostPort": 5000,
-                    "protocol": "tcp",
-                    "appProtocol": "http"
-                }
-            ],
-            "essential": true,
-            "environment": [
-                {
-                    "name": "FRONTEND_URL",
-                    "value": "https://stage.appointment.day"
-                },
-                {
-                    "name": "SHORT_BASE_URL",
-                    "value": "https://stage.apmt.day"
-                },
-                {
-                    "name": "TIER_BASIC_CALENDAR_LIMIT",
-                    "value": "3"
-                },
-                {
-                    "name": "TIER_PLUS_CALENDAR_LIMIT",
-                    "value": "5"
-                },
-                {
-                    "name": "TIER_PRO_CALENDAR_LIMIT",
-                    "value": "10"
-                },
-                {
-                    "name": "LOG_USE_STREAM",
-                    "value": "True"
-                },
-                {
-                    "name": "LOG_LEVEL",
-                    "value": "INFO"
-                },
-                {
-                    "name": "APP_ENV",
-                    "value": "stage"
-                },
-                {
-                    "name": "SENTRY_DSN",
-                    "value": "https://5dddca3ecc964284bb8008bc2beef808@o4505428107853824.ingest.sentry.io/4505428124827648"
-                },
-                {
-                  "name": "ZOOM_API_ENABLED",
-                  "value": "True"
-                },
-                {
-                  "name": "ZOOM_AUTH_CALLBACK",
-                  "value": "https://stage.appointment.day/api/v1/zoom/callback"
-                },
-                {
-                  "name": "SERVICE_EMAIL",
-                  "value": "no-reply@appointment.day"
-                },
-                {
-                  "name": "AUTH_SCHEME",
-                  "value": "fxa"
-                },
-                {
-                  "name": "JWT_ALGO",
-                  "value": "HS256"
-                },
-                {
-                  "name": "JWT_EXPIRE_IN_MINS",
-                  "value": "10000"
-                }
-            ],
-            "secrets": [
-                {
-                    "name": "DATABASE_SECRETS",
-                    "valueFrom": "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-mysql-Ixf6qD"
-                },
-                {
-                    "name": "DB_ENC_SECRET",
-                    "valueFrom": "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-secret-CYKglI"
-                },
-                {
-                    "name": "SMTP_SECRETS",
-                    "valueFrom": "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
-                },
-                {
-                    "name": "GOOGLE_OAUTH_SECRETS",
-                    "valueFrom": "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/google-cal-oauth-VevaSo"
-                },
-                {
-                  "name": "ZOOM_SECRETS",
-                  "valueFrom": "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
-                },
-                {
-                  "name": "FXA_SECRETS",
-                  "valueFrom": "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/fxa-7koQF0"
-                }
-            ],
-            "mountPoints": [],
-            "volumesFrom": [],
-            "logConfiguration": {
-                "logDriver": "awslogs",
-                "options": {
-                    "awslogs-create-group": "true",
-                    "awslogs-group": "/ecs/appointments-definition",
-                    "awslogs-region": "us-east-1",
-                    "awslogs-stream-prefix": "ecs"
-                }
-            }
-        },
-        {
-            "name": "frontend",
-            "image": "frontend-latest",
-            "cpu": 0,
-            "portMappings": [
-                {
-                    "name": "frontend-80-tcp",
-                    "containerPort": 80,
-                    "hostPort": 80,
-                    "protocol": "tcp",
-                    "appProtocol": "http"
-                }
-            ],
-            "essential": true,
-            "environment": [],
-            "mountPoints": [],
-            "volumesFrom": [],
-            "logConfiguration": {
-                "logDriver": "awslogs",
-                "options": {
-                    "awslogs-create-group": "true",
-                    "awslogs-group": "/ecs/appointments-definition",
-                    "awslogs-region": "us-east-1",
-                    "awslogs-stream-prefix": "ecs"
-                }
-            }
-        }
-    ],
-    "family": "appointments-definition",
-    "executionRoleArn": "arn:aws:iam::768512802988:role/apointments-ci-role",
-    "networkMode": "awsvpc",
-    "revision": 24,
-    "volumes": [],
-    "status": "ACTIVE",
-    "requiresAttributes": [
-        {
-            "name": "com.amazonaws.ecs.capability.logging-driver.awslogs"
-        },
-        {
-            "name": "ecs.capability.execution-role-awslogs"
-        },
-        {
-            "name": "com.amazonaws.ecs.capability.ecr-auth"
-        },
-        {
-            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19"
-        },
-        {
-            "name": "ecs.capability.execution-role-ecr-pull"
-        },
-        {
-            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18"
-        },
-        {
-            "name": "ecs.capability.task-eni"
-        },
-        {
-            "name": "com.amazonaws.ecs.capability.docker-remote-api.1.29"
-        }
-    ],
-    "placementConstraints": [],
-    "compatibilities": [
-        "EC2",
-        "FARGATE"
-    ],
-    "requiresCompatibilities": [
-        "FARGATE"
-    ],
-    "cpu": "512",
-    "memory": "1024",
-    "runtimePlatform": {
-        "cpuArchitecture": "X86_64",
-        "operatingSystemFamily": "LINUX"
-    },
-    "registeredAt": "2023-03-15T22:19:59.642Z",
-    "registeredBy": "arn:aws:iam::768512802988:user/melissa",
-    "tags": []
-}
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 9e02ecbdf..038e8b1ed 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -88,7 +88,3 @@ jobs:
       environment: ${{ matrix.environment }}
     secrets: inherit
 
-  deploy-frontend:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
-    uses: ./.github/workflows/deploy-frontend.yaml
\ No newline at end of file

From c899f975159b13dd873ebf24fc79c6c6245b6e41 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 08:57:52 -0400
Subject: [PATCH 047/298] testing primary action

---
 .github/workflows/primary.yaml        | 15 +++++++++++++++
 .github/workflows/verify-backend.yaml | 15 +--------------
 2 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 038e8b1ed..12c8e9a3e 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -73,6 +73,21 @@ jobs:
     if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
     uses: ./.github/workflows/ci-tests.yaml
 
+  verify-backend:
+    needs: detect-changes
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
+    strategy:
+      max-parallel: 1
+      matrix:
+        environment: [stage, production]
+    uses: ./.github/workflows/verify-backend.yaml
+    with:
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
+      environment: ${{ matrix.environment }}
+    secrets: inherit
+
   deploy-backend:
     needs: detect-changes
     if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
index 00e8a6cf3..ebbb8b3a7 100644
--- a/.github/workflows/verify-backend.yaml
+++ b/.github/workflows/verify-backend.yaml
@@ -33,7 +33,7 @@ permissions:
   contents: read
 
 jobs:
-  deploy-backend:
+  validate-backend:
     runs-on: ubuntu-latest
 
     steps:
@@ -65,19 +65,6 @@ jobs:
       with:
         mask-password: 'true'
 
-    - name: Build, tag, and push backend image to Amazon ECR
-      id: build-backend
-      env:
-        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        IMAGE_TAG: backend-${{ github.sha }}
-      run: |
-        # Build a docker container and
-        # push it to ECR so that it can
-        # be deployed to ECS.
-        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
-        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
-
     - name: backend-service
       working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
       run: |

From fbaafbaa3aa3b151be97af70f13efdd4399518e0 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 09:08:28 -0400
Subject: [PATCH 048/298] fixed verify-backend trigger

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 12c8e9a3e..7950afe59 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -75,7 +75,7 @@ jobs:
 
   verify-backend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:

From 8c7d6c166eac7883c9228d97083d6f03f8265030 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 09:16:41 -0400
Subject: [PATCH 049/298] added production backend-service & fixed image name
 in backend-service

---
 .github/workflows/verify-backend.yaml         |  2 +-
 .../services/backend-service/terragrunt.hcl   | 54 +++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 tofu/environments/production/services/backend-service/terragrunt.hcl

diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
index ebbb8b3a7..e8f28488d 100644
--- a/.github/workflows/verify-backend.yaml
+++ b/.github/workflows/verify-backend.yaml
@@ -70,5 +70,5 @@ jobs:
       run: |
         terragrunt init
         terragrunt validate
-        terragrunt plan -var 'image=$IMAGE'
+        terragrunt plan -var 'image=${{env.IMAGE}}'
 
diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
new file mode 100644
index 000000000..76d583483
--- /dev/null
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -0,0 +1,54 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "env" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/backend-service"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    private_subnets = ["subnet-mocksubnet1234567"]
+  }
+}
+
+dependency "backend-infra" {
+  config_path = "../backend-infra"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    target_group_key = "MOCK_KEY"
+    log_group        = "MOCK_LOGS"
+    ecs_cluster      = "MOCK_CLUSTER_ID"
+    security_group   = "MOCK_SG"
+  }
+}
+
+locals {
+  environment      = include.env.locals.environment
+  name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
+  region           = include.env.locals.region
+  project_tags     = include.root.locals.tags
+  environment_tags = include.env.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  name_prefix      = local.name_prefix
+  region           = local.region
+  subnets          = dependency.vpc.outputs.private_subnets
+  log_group        = dependency.backend-infra.outputs.log_group
+  target_group_arn = dependency.backend-infra.outputs.target_group_arn
+  security_group   = dependency.backend-infra.outputs.security_group_id
+  ecs_cluster      = dependency.backend-infra.outputs.cluster_id
+  tags             = local.tags
+}
\ No newline at end of file

From 089a6835c2d293d5193592009d42f4069d8147f3 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 09:24:26 -0400
Subject: [PATCH 050/298] fixed backend-service dependency

---
 .../production/services/backend-service/terragrunt.hcl        | 4 ++--
 .../stage/services/backend-service/terragrunt.hcl             | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index 76d583483..b0016589f 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -15,9 +15,9 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
   mock_outputs = {
-    private_subnets = ["subnet-mocksubnet1234567"]
+    private_subnets = ["subnet-mocksubnet1234567", "plan"]
   }
 }
 
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index 76d583483..1f6d2f387 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
   mock_outputs = {
     private_subnets = ["subnet-mocksubnet1234567"]
   }
@@ -24,7 +24,7 @@ dependency "vpc" {
 dependency "backend-infra" {
   config_path = "../backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
   mock_outputs = {
     target_group_key = "MOCK_KEY"
     log_group        = "MOCK_LOGS"

From 232fd42f9db8a7eb9ad70c351328cc6d1d90ec36 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 09:27:34 -0400
Subject: [PATCH 051/298] added frontend deployment

---
 .github/workflows/deploy-frontend.yaml | 40 ++++++++++++++++++++++++++
 .github/workflows/primary.yaml         |  8 ++++++
 2 files changed, 48 insertions(+)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index e69de29bb..6dcfbac7a 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -0,0 +1,40 @@
+name: Deploy Frontend
+
+# Stop any pending jobs
+concurrency:
+  group: frontend
+  cancel-in-progress: true
+
+on:
+  workflow_call:
+    inputs:
+      aws_region:
+        required: true
+        type: string
+      bucket:
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy-backend:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{secrets.IAM_ROLE}}
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{inputs.aws_region}}
+
+    - name: Deploy Frontend
+      run: aws s3 sync frontend s3://${{inputs.bucket}}
+
+
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 7950afe59..c20006de6 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -103,3 +103,11 @@ jobs:
       environment: ${{ matrix.environment }}
     secrets: inherit
 
+  deploy-frontend:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    uses: ./.github/workflows/deploy-frontend.yaml
+    with:
+      aws_region: us-east-1
+      bucket: tb-appointment-stage-frontend
+

From b271cfa16636f5a4745980948fad0dce5886711b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 09:30:13 -0400
Subject: [PATCH 052/298] backend-service dependency

---
 .../production/services/backend-service/terragrunt.hcl      | 6 +++---
 .../stage/services/backend-service/terragrunt.hcl           | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index b0016589f..2d17da164 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -15,16 +15,16 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
-    private_subnets = ["subnet-mocksubnet1234567", "plan"]
+    private_subnets = ["subnet-mocksubnet1234567"]
   }
 }
 
 dependency "backend-infra" {
   config_path = "../backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     target_group_key = "MOCK_KEY"
     log_group        = "MOCK_LOGS"
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index 1f6d2f387..2d17da164 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     private_subnets = ["subnet-mocksubnet1234567"]
   }
@@ -24,7 +24,7 @@ dependency "vpc" {
 dependency "backend-infra" {
   config_path = "../backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     target_group_key = "MOCK_KEY"
     log_group        = "MOCK_LOGS"

From 5a16ee841bec1102577e472231cf8011dba455a1 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:07:34 -0400
Subject: [PATCH 053/298] more backend-service dependencies

---
 .../production/services/backend-service/terragrunt.hcl      | 6 +++---
 .../stage/services/backend-service/terragrunt.hcl           | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index 2d17da164..a726b80bf 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -26,10 +26,10 @@ dependency "backend-infra" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
-    target_group_key = "MOCK_KEY"
+    target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
     log_group        = "MOCK_LOGS"
-    ecs_cluster      = "MOCK_CLUSTER_ID"
-    security_group   = "MOCK_SG"
+    cluster_id      = "MOCK_CLUSTER_ID"
+    security_group_id   = "MOCK_SG"
   }
 }
 
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index 2d17da164..a726b80bf 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -26,10 +26,10 @@ dependency "backend-infra" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
-    target_group_key = "MOCK_KEY"
+    target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
     log_group        = "MOCK_LOGS"
-    ecs_cluster      = "MOCK_CLUSTER_ID"
-    security_group   = "MOCK_SG"
+    cluster_id      = "MOCK_CLUSTER_ID"
+    security_group_id   = "MOCK_SG"
   }
 }
 

From 39376f508fb84b1137e5f7b4ed4e5129406b393f Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:15:27 -0400
Subject: [PATCH 054/298] frontend deployment test

---
 .github/workflows/primary.yaml                            | 2 +-
 frontend/index.html                                       | 1 +
 .../production/services/backend-service/terragrunt.hcl    | 8 ++++----
 .../stage/services/backend-service/terragrunt.hcl         | 8 ++++----
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index c20006de6..b67d6e2a1 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -105,7 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1
diff --git a/frontend/index.html b/frontend/index.html
index 5578045d1..a37594f83 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -27,4 +27,5 @@
     <div id="app" class="h-full"></div>
     <script type="module" src="/src/main.js"></script>
   </body>
+
 </html>
diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index a726b80bf..8387eec5e 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -26,10 +26,10 @@ dependency "backend-infra" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
-    target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
-    log_group        = "MOCK_LOGS"
-    cluster_id      = "MOCK_CLUSTER_ID"
-    security_group_id   = "MOCK_SG"
+    target_group_arn  = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
+    log_group         = "MOCK_LOGS"
+    cluster_id        = "MOCK_CLUSTER_ID"
+    security_group_id = "MOCK_SG"
   }
 }
 
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index a726b80bf..8387eec5e 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -26,10 +26,10 @@ dependency "backend-infra" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
-    target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
-    log_group        = "MOCK_LOGS"
-    cluster_id      = "MOCK_CLUSTER_ID"
-    security_group_id   = "MOCK_SG"
+    target_group_arn  = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
+    log_group         = "MOCK_LOGS"
+    cluster_id        = "MOCK_CLUSTER_ID"
+    security_group_id = "MOCK_SG"
   }
 }
 

From e52cd1551a879c650cac7ecb12a84a202fbc2d25 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:20:29 -0400
Subject: [PATCH 055/298] clean up actions

---
 .github/workflows/deploy-backend.yaml  | 5 +----
 .github/workflows/deploy-frontend.yaml | 4 +---
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
index 38e93d2dc..6382f5de6 100644
--- a/.github/workflows/deploy-backend.yaml
+++ b/.github/workflows/deploy-backend.yaml
@@ -22,10 +22,7 @@ on:
         type: string
 
 env:
-  AWS_REGION: us-east-1
-  ECR_REPOSITORY: appointments
-  ECS_SERVICE: appointments-service
-  ECS_CLUSTER: appointments
+  ECR_REPOSITORY: appointment
 
 permissions:
   id-token: write
diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 6dcfbac7a..0e4bd6949 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -20,7 +20,7 @@ permissions:
   contents: read
 
 jobs:
-  deploy-backend:
+  deploy-frontend:
     runs-on: ubuntu-latest
 
     steps:
@@ -36,5 +36,3 @@ jobs:
 
     - name: Deploy Frontend
       run: aws s3 sync frontend s3://${{inputs.bucket}}
-
-

From 4346d39ed1b70d25355903d73806597762d61bad Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:22:28 -0400
Subject: [PATCH 056/298] pass secrets to frontend workflow

---
 .github/workflows/primary.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index b67d6e2a1..6909be041 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -110,4 +110,5 @@ jobs:
     with:
       aws_region: us-east-1
       bucket: tb-appointment-stage-frontend
+    secrets: inherit
 

From ca016a95587922d0b88ecd1dcb01910b251b2007 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:28:46 -0400
Subject: [PATCH 057/298] frontend bucket name fix

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 6909be041..1bc6530c9 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -109,6 +109,6 @@ jobs:
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1
-      bucket: tb-appointment-stage-frontend
+      bucket: tb-apmt-stage-frontend
     secrets: inherit
 

From 85f7ff5716b58cd3c82c8149c72e37f4115307dc Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:38:00 -0400
Subject: [PATCH 058/298] deploy frontend from main branch only

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 1bc6530c9..30867865f 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -105,7 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From 7ea04be5b1e90d878f142bc7b5501969b2993b75 Mon Sep 17 00:00:00 2001
From: Melissa Autumn <melissa@thunderbird.net>
Date: Mon, 1 Apr 2024 08:14:06 -0700
Subject: [PATCH 059/298] Build the frontend and deploy the build artifacts.

---
 .github/workflows/deploy-frontend.yaml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 0e4bd6949..f3c3a0507 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -27,6 +27,17 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v4
 
+    - name: Setup NPM
+      uses: actions/setup-node@v4
+      with:
+        node-version: '18.x'
+
+    - name: Install dependencies
+      run: cd frontend && npm install
+
+    - name: Build project
+      run: cd frontend && npm run build
+
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
@@ -35,4 +46,4 @@ jobs:
         aws-region: ${{inputs.aws_region}}
 
     - name: Deploy Frontend
-      run: aws s3 sync frontend s3://${{inputs.bucket}}
+      run: aws s3 sync frontend/dist s3://${{inputs.bucket}}

From 4dd7d77d0f91b7613ec1e46a99a7e308cc1e11b8 Mon Sep 17 00:00:00 2001
From: Melissa Autumn <melissa@thunderbird.net>
Date: Mon, 1 Apr 2024 08:42:30 -0700
Subject: [PATCH 060/298] IC- Switch frontend build to yarn

---
 .github/workflows/deploy-frontend.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index f3c3a0507..d719274c9 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -33,10 +33,10 @@ jobs:
         node-version: '18.x'
 
     - name: Install dependencies
-      run: cd frontend && npm install
+      run: cd frontend && yarn install
 
     - name: Build project
-      run: cd frontend && npm run build
+      run: cd frontend && yarn build
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4

From 788aefd3bba73f2ad5089435c891f177f2c03be2 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 11:23:17 -0400
Subject: [PATCH 061/298] test frontend build

---
 .github/workflows/deploy-frontend.yaml | 2 +-
 .github/workflows/primary.yaml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index d719274c9..97e7c77dd 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -46,4 +46,4 @@ jobs:
         aws-region: ${{inputs.aws_region}}
 
     - name: Deploy Frontend
-      run: aws s3 sync frontend/dist s3://${{inputs.bucket}}
+      run: aws s3 sync frontend s3://${{inputs.bucket}} --delete
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 30867865f..1bc6530c9 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -105,7 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From 072047b875e5cba3caaf41ed50caf13a043f29fe Mon Sep 17 00:00:00 2001
From: Melissa Autumn <melissa@thunderbird.net>
Date: Mon, 1 Apr 2024 08:48:28 -0700
Subject: [PATCH 062/298] IC- Deploy dist

---
 .github/workflows/deploy-frontend.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 97e7c77dd..83bc75f1d 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -46,4 +46,4 @@ jobs:
         aws-region: ${{inputs.aws_region}}
 
     - name: Deploy Frontend
-      run: aws s3 sync frontend s3://${{inputs.bucket}} --delete
+      run: aws s3 sync frontend/dist s3://${{inputs.bucket}} --delete

From 14e1812675a3d5d5e90963587867949f4331fb18 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 15:12:32 -0400
Subject: [PATCH 063/298] updating cloudfront tls config

---
 .github/workflows/primary.yaml         | 2 +-
 tofu/modules/services/frontend/main.tf | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 1bc6530c9..30867865f 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -105,7 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index 8ab8a2ec0..beaa994eb 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -154,7 +154,9 @@ resource "aws_cloudfront_distribution" "appointment" {
 
   viewer_certificate {
     acm_certificate_arn = var.ssl_cert
+    cloudfront_default_certificate = false
     ssl_support_method  = "sni-only"
+    minimum_protocol_version = "TLSv1.2_2021"
   }
 }
 

From d187036431927f96cc24956be11215a2fbea9061 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 13:37:28 -0400
Subject: [PATCH 064/298] backend troubleshooting

---
 .../services/frontend/terragrunt.hcl          |  2 +-
 .../services/backend-infra/terragrunt.hcl     |  1 +
 .../stage/services/frontend/terragrunt.hcl    |  2 +-
 tofu/modules/network/vpc/main.tf              | 27 +++++++++++++++++++
 tofu/modules/services/backend-infra/main.tf   | 20 ++++++++------
 .../services/backend-infra/variables.tf       |  5 ++++
 tofu/modules/services/frontend/main.tf        | 14 +++-------
 7 files changed, 50 insertions(+), 21 deletions(-)

diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index 84087e74b..aecb69f5e 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -32,7 +32,7 @@ locals {
   tags             = "${merge(local.project_tags, local.environment_tags)}"
 
 
-  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4"
+  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
 }
 
 inputs = {
diff --git a/tofu/environments/stage/services/backend-infra/terragrunt.hcl b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
index 5ed033407..93beded47 100644
--- a/tofu/environments/stage/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
@@ -47,5 +47,6 @@ inputs = {
   secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
   logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
   database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
+  ssl_cert                        = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
   tags                            = local.tags
 }
\ No newline at end of file
diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
index 84087e74b..aecb69f5e 100644
--- a/tofu/environments/stage/services/frontend/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -32,7 +32,7 @@ locals {
   tags             = "${merge(local.project_tags, local.environment_tags)}"
 
 
-  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4"
+  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
 }
 
 inputs = {
diff --git a/tofu/modules/network/vpc/main.tf b/tofu/modules/network/vpc/main.tf
index c0918b00b..431ed2421 100644
--- a/tofu/modules/network/vpc/main.tf
+++ b/tofu/modules/network/vpc/main.tf
@@ -228,6 +228,15 @@ resource "aws_security_group" "ecr_endpoint" {
   })
 }
 
+resource "aws_security_group_rule" "ecr_endpoint_ingress" {
+  type              = "ingress"
+  from_port         = 5000
+  to_port           = 5000
+  protocol          = "tcp"
+  cidr_blocks       = [module.vpc.vpc_cidr_block]
+  security_group_id = aws_security_group.ecr_endpoint.id
+}
+
 # Secrets endpoint SG
 resource "aws_security_group" "secrets_endpoint" {
   name        = "${var.name_prefix}-secrets"
@@ -238,6 +247,15 @@ resource "aws_security_group" "secrets_endpoint" {
   })
 }
 
+resource "aws_security_group_rule" "secrets_endpoint_ingress" {
+  type              = "ingress"
+  from_port         = 5000
+  to_port           = 5000
+  protocol          = "tcp"
+  cidr_blocks       = [module.vpc.vpc_cidr_block]
+  security_group_id = aws_security_group.secrets_endpoint.id
+}
+
 # Logs endpoint SG
 resource "aws_security_group" "logs_endpoint" {
   name        = "${var.name_prefix}-logs"
@@ -247,3 +265,12 @@ resource "aws_security_group" "logs_endpoint" {
     Name = "${var.name_prefix}-logs-endpoint"
   })
 }
+
+resource "aws_security_group_rule" "logs_endpoint_ingress" {
+  type              = "ingress"
+  from_port         = 5000
+  to_port           = 5000
+  protocol          = "tcp"
+  cidr_blocks       = [module.vpc.vpc_cidr_block]
+  security_group_id = aws_security_group.logs_endpoint.id
+}
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index c695fcf70..95976f1f9 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -61,13 +61,17 @@ module "backend_alb" {
   }
 
   listeners = {
-    http = {
-      port     = 5000
-      protocol = "HTTP"
 
-      forward = {
-        target_group_key = local.target_group_key
+    https = {
+      port     = 5000
+      protocol = "HTTPS"
+      certificate_arn = var.ssl_cert
+      fixed_response = {
+        content_type = "text/plain"
+        message_body = ""
+        status_code = 503
       }
+
       rules = {
         custom-header = {
           actions = [{
@@ -87,8 +91,8 @@ module "backend_alb" {
 
   target_groups = {
     "${local.target_group_key}" = {
-      name                              = "${var.name_prefix}-ecs-backend"
-      protocol                          = "HTTP"
+      name                              = "${var.name_prefix}-backend"
+      protocol                          = "HTTPS"
       port                              = 5000
       target_type                       = "ip"
       deregistration_delay              = 5
@@ -101,7 +105,7 @@ module "backend_alb" {
         matcher             = "200"
         path                = "/api/v1"
         port                = "traffic-port"
-        protocol            = "HTTP"
+        protocol            = "HTTPS"
         timeout             = 5
         unhealthy_threshold = 2
       }
diff --git a/tofu/modules/services/backend-infra/variables.tf b/tofu/modules/services/backend-infra/variables.tf
index 8a75fb8db..1daee3dda 100644
--- a/tofu/modules/services/backend-infra/variables.tf
+++ b/tofu/modules/services/backend-infra/variables.tf
@@ -52,4 +52,9 @@ variable "backend_image" {
   description = "Backend image ECR URI"
   type = string
   default = "public.ecr.aws/amazonlinux/amazonlinux:minimal"
+}
+
+variable "ssl_cert" {
+  description = "SSL certificate ARN in AWS Certificate Manager"
+  type        = string
 }
\ No newline at end of file
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index beaa994eb..b606bd530 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -38,16 +38,6 @@ resource "aws_s3_bucket_public_access_block" "public_access" {
   restrict_public_buckets = true
 }
 
-/*resource "aws_s3_bucket_website_configuration" "frontend" {
-  bucket = aws_s3_bucket.frontend.id
-  index_document {
-    suffix = "index.html"
-  }
-  error_document {
-    key = "error.html"
-  }
-}*/
-
 resource "aws_s3_bucket_policy" "allow_access_from_cloudfront" {
   bucket = aws_s3_bucket.frontend.id
   policy = data.aws_iam_policy_document.allow_access_from_cloudfront.json
@@ -82,6 +72,8 @@ resource "aws_cloudfront_distribution" "appointment" {
   enabled             = true
   default_root_object = "index.html"
 
+  aliases = ["${var.environment}.appointment.day"]
+
   origin {
     origin_id                = "${var.name_prefix}-frontend"
     domain_name              = aws_s3_bucket.frontend.bucket_domain_name
@@ -93,7 +85,7 @@ resource "aws_cloudfront_distribution" "appointment" {
     domain_name = var.backend_dns_name
     custom_origin_config {
       http_port              = 80
-      https_port             = 443
+      https_port             = 5000
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1.2"]
     }

From 332ed48d0b2b96bca75c36d578de3c223e17c2c4 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 13:41:15 -0400
Subject: [PATCH 065/298] backend troubleshooting

---
 .github/workflows/primary.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 30867865f..74804ea57 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -90,7 +90,7 @@ jobs:
 
   deploy-backend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -105,7 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From 46d0cc8952e2111a3aec208ee79f4b35bd4ab93e Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 13:48:32 -0400
Subject: [PATCH 066/298] backend troubleshooting

---
 .github/workflows/primary.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 74804ea57..d37b8fd46 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -90,7 +90,6 @@ jobs:
 
   deploy-backend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -105,7 +104,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From 548d944e2df369af7ca63ed93c665efef088c6e3 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 13:51:26 -0400
Subject: [PATCH 067/298] backend troubleshooting

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index d37b8fd46..85443d86d 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -75,7 +75,7 @@ jobs:
 
   verify-backend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:

From 1b9a4294e6ade5c0fd2cdc41d3e139698d71d9f6 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 14:00:20 -0400
Subject: [PATCH 068/298] backend troubleshooting

---
 .github/workflows/deploy-backend.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
index 6382f5de6..a2e3f8dce 100644
--- a/.github/workflows/deploy-backend.yaml
+++ b/.github/workflows/deploy-backend.yaml
@@ -79,6 +79,6 @@ jobs:
       run: |
         terragrunt init
         terragrunt validate
-        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}'
+        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
         terragrunt apply tfplan
 

From 7de23af524445b44ee531f162ad81d29867e7caf Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 14:26:30 -0400
Subject: [PATCH 069/298] backend troubleshooting

---
 tofu/modules/network/vpc/main.tf | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/tofu/modules/network/vpc/main.tf b/tofu/modules/network/vpc/main.tf
index 431ed2421..cf07f88da 100644
--- a/tofu/modules/network/vpc/main.tf
+++ b/tofu/modules/network/vpc/main.tf
@@ -230,8 +230,8 @@ resource "aws_security_group" "ecr_endpoint" {
 
 resource "aws_security_group_rule" "ecr_endpoint_ingress" {
   type              = "ingress"
-  from_port         = 5000
-  to_port           = 5000
+  from_port         = 443
+  to_port           = 443
   protocol          = "tcp"
   cidr_blocks       = [module.vpc.vpc_cidr_block]
   security_group_id = aws_security_group.ecr_endpoint.id
@@ -249,8 +249,8 @@ resource "aws_security_group" "secrets_endpoint" {
 
 resource "aws_security_group_rule" "secrets_endpoint_ingress" {
   type              = "ingress"
-  from_port         = 5000
-  to_port           = 5000
+  from_port         = 443
+  to_port           = 443
   protocol          = "tcp"
   cidr_blocks       = [module.vpc.vpc_cidr_block]
   security_group_id = aws_security_group.secrets_endpoint.id
@@ -268,8 +268,8 @@ resource "aws_security_group" "logs_endpoint" {
 
 resource "aws_security_group_rule" "logs_endpoint_ingress" {
   type              = "ingress"
-  from_port         = 5000
-  to_port           = 5000
+  from_port         = 443
+  to_port           = 443
   protocol          = "tcp"
   cidr_blocks       = [module.vpc.vpc_cidr_block]
   security_group_id = aws_security_group.logs_endpoint.id

From 19e115febcc1399c17c4e95b622f800bf9fb6bfd Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 14:57:00 -0400
Subject: [PATCH 070/298] backend troubleshooting

---
 .../stage/services/backend-service/terragrunt.hcl            | 2 ++
 tofu/modules/network/vpc/outputs.tf                          | 4 ++++
 tofu/modules/services/backend-service/main.tf                | 2 +-
 tofu/modules/services/backend-service/variables.tf           | 5 +++++
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index 8387eec5e..4b26e0fb6 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -18,6 +18,7 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     private_subnets = ["subnet-mocksubnet1234567"]
+    ecs_execution_role = "mockrolearn"
   }
 }
 
@@ -50,5 +51,6 @@ inputs = {
   target_group_arn = dependency.backend-infra.outputs.target_group_arn
   security_group   = dependency.backend-infra.outputs.security_group_id
   ecs_cluster      = dependency.backend-infra.outputs.cluster_id
+  task_execution_role = dependency.vpc.outputs.ecs_execution_role
   tags             = local.tags
 }
\ No newline at end of file
diff --git a/tofu/modules/network/vpc/outputs.tf b/tofu/modules/network/vpc/outputs.tf
index 65dc4dcbf..a85f6ba46 100644
--- a/tofu/modules/network/vpc/outputs.tf
+++ b/tofu/modules/network/vpc/outputs.tf
@@ -32,4 +32,8 @@ output "secrets_endpoint_security_group" {
 
 output "logs_endpoint_security_group" {
   value = aws_security_group.logs_endpoint.id
+}
+
+output "ecs_execution_role" {
+  value = module.ecs_task_execution_role.iam_role_arn
 }
\ No newline at end of file
diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index ec92a4ba3..49ae436a7 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -22,7 +22,7 @@ resource "aws_ecs_service" "backend_service" {
 
 resource "aws_ecs_task_definition" "backend" {
   family                   = "appointment-definition"
-  execution_role_arn       = "arn:aws:iam::768512802988:role/apointments-ci-role"
+  execution_role_arn       = var.task_execution_role
   network_mode             = "awsvpc"
   requires_compatibilities = ["FARGATE"]
   cpu                      = "512"
diff --git a/tofu/modules/services/backend-service/variables.tf b/tofu/modules/services/backend-service/variables.tf
index 5a501953e..cf42aec36 100644
--- a/tofu/modules/services/backend-service/variables.tf
+++ b/tofu/modules/services/backend-service/variables.tf
@@ -41,4 +41,9 @@ variable "security_group" {
 variable "image" {
   description = "Backend Docker image"
   type = string
+}
+
+variable "task_execution_role" {
+  description = "ECS task execution role"
+  type = string
 }
\ No newline at end of file

From 0138c0524bca0ed3f874a88fb6e108a07704552b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 15:05:52 -0400
Subject: [PATCH 071/298] backend troubleshooting

---
 .../services/backend-service/terragrunt.hcl   | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index 4b26e0fb6..ef29569ad 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -17,8 +17,8 @@ dependency "vpc" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
-    private_subnets = ["subnet-mocksubnet1234567"]
-    ecs_execution_role = "mockrolearn"
+    private_subnets    = ["subnet-mocksubnet1234567"]
+    ecs_execution_role = "arn:mockrolearn"
   }
 }
 
@@ -44,13 +44,13 @@ locals {
 }
 
 inputs = {
-  name_prefix      = local.name_prefix
-  region           = local.region
-  subnets          = dependency.vpc.outputs.private_subnets
-  log_group        = dependency.backend-infra.outputs.log_group
-  target_group_arn = dependency.backend-infra.outputs.target_group_arn
-  security_group   = dependency.backend-infra.outputs.security_group_id
-  ecs_cluster      = dependency.backend-infra.outputs.cluster_id
+  name_prefix         = local.name_prefix
+  region              = local.region
+  subnets             = dependency.vpc.outputs.private_subnets
+  log_group           = dependency.backend-infra.outputs.log_group
+  target_group_arn    = dependency.backend-infra.outputs.target_group_arn
+  security_group      = dependency.backend-infra.outputs.security_group_id
+  ecs_cluster         = dependency.backend-infra.outputs.cluster_id
   task_execution_role = dependency.vpc.outputs.ecs_execution_role
-  tags             = local.tags
+  tags                = local.tags
 }
\ No newline at end of file

From 045ae8ea4ddfab16597278cb11989a541fd54195 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 15:51:07 -0400
Subject: [PATCH 072/298] backend troubleshooting

---
 tofu/modules/services/backend-infra/main.tf | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 95976f1f9..b2cb27e63 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -92,7 +92,7 @@ module "backend_alb" {
   target_groups = {
     "${local.target_group_key}" = {
       name                              = "${var.name_prefix}-backend"
-      protocol                          = "HTTPS"
+      protocol                          = "HTTP"
       port                              = 5000
       target_type                       = "ip"
       deregistration_delay              = 5
@@ -100,12 +100,12 @@ module "backend_alb" {
 
       health_check = {
         enabled             = true
-        healthy_threshold   = 5
-        interval            = 30
+        healthy_threshold   = 2
+        interval            = 10
         matcher             = "200"
-        path                = "/api/v1"
+        path                = "/"
         port                = "traffic-port"
-        protocol            = "HTTPS"
+        protocol            = "HTTP"
         timeout             = 5
         unhealthy_threshold = 2
       }

From a6afac96151f719a5da870be3387127e3fe1c4cb Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 16:10:48 -0400
Subject: [PATCH 073/298] backend troubleshooting

---
 tofu/modules/services/backend-service/main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index 49ae436a7..10a4cd5de 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -15,6 +15,7 @@ resource "aws_ecs_service" "backend_service" {
     subnets         = var.subnets
   }
 
+  health_check_grace_period_seconds = 180
   task_definition = aws_ecs_task_definition.backend.arn
   desired_count   = 1
   tags            = var.tags

From cd0228779815c223b552378662b176f212dce281 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Fri, 5 Apr 2024 09:06:21 -0400
Subject: [PATCH 074/298] backend troubleshooting

---
 tofu/modules/services/backend-infra/main.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index b2cb27e63..fd273006d 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -62,10 +62,10 @@ module "backend_alb" {
 
   listeners = {
 
-    https = {
+    http = {
       port     = 5000
-      protocol = "HTTPS"
-      certificate_arn = var.ssl_cert
+      protocol = "HTTP"
+      #certificate_arn = var.ssl_cert
       fixed_response = {
         content_type = "text/plain"
         message_body = ""

From 9e9b2d8a555fb1d2b926ff7e86678792d223ab4a Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Fri, 5 Apr 2024 09:10:45 -0400
Subject: [PATCH 075/298] backend troubleshooting

---
 tofu/modules/services/backend-infra/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index fd273006d..04735c655 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -91,7 +91,7 @@ module "backend_alb" {
 
   target_groups = {
     "${local.target_group_key}" = {
-      name                              = "${var.name_prefix}-backend"
+      name                              = "${var.name_prefix}-backend-test"
       protocol                          = "HTTP"
       port                              = 5000
       target_type                       = "ip"

From 713a439903d211049fb9070226f82c02fb5329f0 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 7 Apr 2024 09:46:44 -0400
Subject: [PATCH 076/298] backend troubleshooting

---
 .../services/backend-infra/terragrunt.hcl     |  4 +--
 tofu/modules/services/backend-infra/main.tf   |  8 +++---
 tofu/modules/services/frontend/main.tf        | 27 ++++++++++++++++---
 3 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/tofu/environments/stage/services/backend-infra/terragrunt.hcl b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
index 93beded47..ebb7f7d1b 100644
--- a/tofu/environments/stage/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
@@ -19,7 +19,7 @@ dependency "vpc" {
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []
-    private_subnets                 = []
+    public_subnets                 = []
     ecr_endpoint_security_group     = "mock_sg"
     secrets_endpoint_security_group = "mock_sg"
     logs_endpoint_security_group    = "mock_sg"
@@ -42,7 +42,7 @@ inputs = {
   name_prefix                     = local.name_prefix
   region                          = local.region
   vpc                             = dependency.vpc.outputs.vpc_id
-  subnets                         = dependency.vpc.outputs.private_subnets
+  subnets                         = dependency.vpc.outputs.public_subnets
   ecr_endpoint_security_group     = dependency.vpc.outputs.ecr_endpoint_security_group
   secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
   logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 04735c655..de00a224d 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -44,8 +44,8 @@ module "backend_alb" {
 
   security_group_ingress_rules = {
     inbound = {
-      from_port                    = 5000
-      to_port                      = 5000
+      from_port                    = 80
+      to_port                      = 80
       ip_protocol                  = "tcp"
       prefix_list_id = data.aws_ec2_managed_prefix_list.cloudfront.id
     }
@@ -63,7 +63,7 @@ module "backend_alb" {
   listeners = {
 
     http = {
-      port     = 5000
+      port     = 80
       protocol = "HTTP"
       #certificate_arn = var.ssl_cert
       fixed_response = {
@@ -91,7 +91,7 @@ module "backend_alb" {
 
   target_groups = {
     "${local.target_group_key}" = {
-      name                              = "${var.name_prefix}-backend-test"
+      name                              = "${var.name_prefix}-backend"
       protocol                          = "HTTP"
       port                              = 5000
       target_type                       = "ip"
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index b606bd530..2b090e988 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -84,7 +84,7 @@ resource "aws_cloudfront_distribution" "appointment" {
     origin_id   = var.backend_id
     domain_name = var.backend_dns_name
     custom_origin_config {
-      http_port              = 80
+      http_port              = 5000
       https_port             = 5000
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1.2"]
@@ -111,7 +111,7 @@ resource "aws_cloudfront_distribution" "appointment" {
       }
     }
 
-    viewer_protocol_policy = "allow-all"
+    viewer_protocol_policy = "redirect-to-https"
     min_ttl                = 0
     default_ttl            = 3600
     max_ttl                = 86400
@@ -131,7 +131,28 @@ resource "aws_cloudfront_distribution" "appointment" {
       }
     }
 
-    viewer_protocol_policy = "allow-all"
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 3600
+    max_ttl                = 86400
+
+  }
+
+  ordered_cache_behavior {
+    path_pattern     = "/fxa"
+    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "POST", "PUT", "PATCH"]
+    cached_methods   = ["GET", "HEAD", "OPTIONS"]
+    target_origin_id = var.backend_id
+
+    forwarded_values {
+      query_string = true
+
+      cookies {
+        forward = "all"
+      }
+    }
+
+    viewer_protocol_policy = "redirect-to-https"
     min_ttl                = 0
     default_ttl            = 3600
     max_ttl                = 86400

From 60fa28eaf52bac0c0ee150f52205c44af2821624 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 10 Apr 2024 13:40:46 -0400
Subject: [PATCH 077/298] add api rewriting and x-allow secret generation

---
 .../backend-infra/.terraform.lock.hcl         | 17 +++++
 .../services/backend-infra/terragrunt.hcl     |  2 +-
 tofu/modules/services/backend-infra/main.tf   | 29 ++++++--
 .../services/backend-infra/variables.tf       |  2 +-
 tofu/modules/services/frontend/main.tf        | 70 +++++++++++++++----
 5 files changed, 97 insertions(+), 23 deletions(-)

diff --git a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
index 16bf2d314..c2f80a665 100644
--- a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
@@ -18,3 +18,20 @@ provider "registry.opentofu.org/hashicorp/aws" {
     "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
   ]
 }
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version = "3.6.0"
+  hashes = [
+    "h1:6QMZ6JACl+V2t8daN5GTlw22EtG7nhc3BbkbJDw2a5M=",
+    "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75",
+    "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3",
+    "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23",
+    "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2",
+    "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9",
+    "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a",
+    "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4",
+    "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24",
+    "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4",
+    "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685",
+  ]
+}
diff --git a/tofu/environments/stage/services/backend-infra/terragrunt.hcl b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
index ebb7f7d1b..6441d796d 100644
--- a/tofu/environments/stage/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
@@ -19,7 +19,7 @@ dependency "vpc" {
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []
-    public_subnets                 = []
+    public_subnets                  = []
     ecr_endpoint_security_group     = "mock_sg"
     secrets_endpoint_security_group = "mock_sg"
     logs_endpoint_security_group    = "mock_sg"
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index de00a224d..778cbb010 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -12,6 +12,23 @@ locals {
   target_group_key = "${var.name_prefix}-backend"
 }
 
+resource "random_string" "x_allow_value" {
+  length = 128
+  lower = true
+  numeric = true
+  special = true
+  upper = true
+}
+
+resource "aws_secretsmanager_secret" "x_allow_secret" {
+  name = "${var.name_prefix}-x-allow-secret"
+}
+
+resource "aws_secretsmanager_secret_version" "x_allow_secret_version" {
+  secret_id = aws_secretsmanager_secret.x_allow_secret.name
+  secret_string = random_string.x_allow_value.result
+}
+
 module "ecs_cluster" {
   source = "github.com/terraform-aws-modules/terraform-aws-ecs/modules/cluster"
 
@@ -44,8 +61,8 @@ module "backend_alb" {
 
   security_group_ingress_rules = {
     inbound = {
-      from_port                    = 80
-      to_port                      = 80
+      from_port                    = 5000
+      to_port                      = 5000
       ip_protocol                  = "tcp"
       prefix_list_id = data.aws_ec2_managed_prefix_list.cloudfront.id
     }
@@ -63,9 +80,9 @@ module "backend_alb" {
   listeners = {
 
     http = {
-      port     = 80
-      protocol = "HTTP"
-      #certificate_arn = var.ssl_cert
+      port     = 5000
+      protocol = "HTTPS"
+      certificate_arn = var.ssl_cert
       fixed_response = {
         content_type = "text/plain"
         message_body = ""
@@ -81,7 +98,7 @@ module "backend_alb" {
           conditions = [{
             http_header = {
               http_header_name = "X-Allow"
-              values           = ["test"]
+              values           = [random_string.x_allow_value.result]
             }
           }]
         }
diff --git a/tofu/modules/services/backend-infra/variables.tf b/tofu/modules/services/backend-infra/variables.tf
index 1daee3dda..26c1c97cc 100644
--- a/tofu/modules/services/backend-infra/variables.tf
+++ b/tofu/modules/services/backend-infra/variables.tf
@@ -57,4 +57,4 @@ variable "backend_image" {
 variable "ssl_cert" {
   description = "SSL certificate ARN in AWS Certificate Manager"
   type        = string
-}
\ No newline at end of file
+}
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index 2b090e988..d3bd6f019 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -67,6 +67,18 @@ data "aws_iam_policy_document" "allow_access_from_cloudfront" {
 }
 
 # Cloudfront Distribution
+data "aws_cloudfront_cache_policy" "CachingDisabled" {
+  name = "Managed-CachingDisabled"
+}
+
+data "aws_cloudfront_origin_request_policy" "AllViewer" {
+  name = "Managed-AllViewer"
+} 
+
+data "aws_secretsmanager_secret_version" "x_allow_value" {
+  secret_id = "${var.name_prefix}-x-allow-secret"
+}
+
 resource "aws_cloudfront_distribution" "appointment" {
   comment             = "appointment ${var.environment} frontend"
   enabled             = true
@@ -84,7 +96,7 @@ resource "aws_cloudfront_distribution" "appointment" {
     origin_id   = var.backend_id
     domain_name = var.backend_dns_name
     custom_origin_config {
-      http_port              = 5000
+      http_port              = 80
       https_port             = 5000
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1.2"]
@@ -92,7 +104,7 @@ resource "aws_cloudfront_distribution" "appointment" {
 
     custom_header {
       name  = "X-Allow"
-      value = "test"
+      value = data.aws_secretsmanager_secret_version.x_allow_value.secret_string
     }
   }
 
@@ -123,12 +135,12 @@ resource "aws_cloudfront_distribution" "appointment" {
     cached_methods   = ["GET", "HEAD", "OPTIONS"]
     target_origin_id = var.backend_id
 
-    forwarded_values {
-      query_string = true
+    cache_policy_id = data.aws_cloudfront_cache_policy.CachingDisabled.id
+    origin_request_policy_id = data.aws_cloudfront_origin_request_policy.AllViewer.id
 
-      cookies {
-        forward = "all"
-      }
+    function_association {
+      event_type = "viewer-request"
+      function_arn = aws_cloudfront_function.rewrite_api.arn
     }
 
     viewer_protocol_policy = "redirect-to-https"
@@ -144,13 +156,8 @@ resource "aws_cloudfront_distribution" "appointment" {
     cached_methods   = ["GET", "HEAD", "OPTIONS"]
     target_origin_id = var.backend_id
 
-    forwarded_values {
-      query_string = true
-
-      cookies {
-        forward = "all"
-      }
-    }
+    cache_policy_id = data.aws_cloudfront_cache_policy.CachingDisabled.id
+    origin_request_policy_id = data.aws_cloudfront_origin_request_policy.AllViewer.id
 
     viewer_protocol_policy = "redirect-to-https"
     min_ttl                = 0
@@ -178,4 +185,37 @@ resource "aws_cloudfront_origin_access_control" "oac" {
   origin_access_control_origin_type = "s3"
   signing_behavior                  = "always"
   signing_protocol                  = "sigv4"
-}
\ No newline at end of file
+}
+
+resource "aws_cloudfront_function" "rewrite_api" {
+  name = "rewrite_api"
+  runtime = "cloudfront-js-2.0"
+  code = <<EOT
+  async function handler(event) {
+    const request = event.request;
+    const apiPath = "/api/v1";
+
+    // If our api path is the first thing that's found in the uri then remove it from the uri.
+    if (request.uri.indexOf(apiPath) === 0) {
+        return request.uri.replace(apiPath, "");
+    }
+
+    // else carry on like normal.
+    return request;
+  }
+  EOT
+}
+
+/*resource "aws_cloudfront_function" "rewrite_apmt" {
+  name = "rewrite_apmt"
+  runtime = "cloudfront-js-2.0"
+  code = <<EOT
+  async function handler(event) {
+    const request = event.request;
+    
+    request.uri = request.uri.replace("apmt.day", "appointment.day/user")
+
+    return request;
+  }
+  EOT
+}*/
\ No newline at end of file

From c8670e13937db4cb2ebf2d42bc84c526d8e76480 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 16 Apr 2024 11:51:13 -0400
Subject: [PATCH 078/298] api uri rewrite update

---
 tofu/modules/services/backend-infra/main.tf | 22 +++++-
 tofu/modules/services/frontend/main.tf      | 85 ++++++++++++++-------
 2 files changed, 79 insertions(+), 28 deletions(-)

diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 778cbb010..1014d3d93 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -60,11 +60,17 @@ module "backend_alb" {
   enable_deletion_protection = false #var.environment != "sandbox" ? true : false
 
   security_group_ingress_rules = {
-    inbound = {
+    inbound_5000 = {
       from_port                    = 5000
       to_port                      = 5000
       ip_protocol                  = "tcp"
       prefix_list_id = data.aws_ec2_managed_prefix_list.cloudfront.id
+    },
+    inbound_80 = {
+      from_port                    = 80
+      to_port                      = 80
+      ip_protocol                  = "tcp"
+      cidr_ipv4 = "0.0.0.0/0"
     }
   }
 
@@ -79,7 +85,7 @@ module "backend_alb" {
 
   listeners = {
 
-    http = {
+    https = {
       port     = 5000
       protocol = "HTTPS"
       certificate_arn = var.ssl_cert
@@ -103,6 +109,18 @@ module "backend_alb" {
           }]
         }
       }
+    },
+    shortlink = {
+      port = 80
+      protocol = "HTTP"
+
+      redirect = {
+        status_code = "HTTP_302"
+        host = "${var.environment}.appointment.day"
+        path = "/user/#{path}"
+        port = 443
+        protocol = "HTTPS"
+      }
     }
   }
 
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index d3bd6f019..ca9725521 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -1,6 +1,7 @@
 # S3 Bucket
 locals {
   bucket = "${var.name_prefix}-frontend"
+  log_bucket = "${var.name_prefix}-frontend-logs"
 }
 
 resource "aws_s3_bucket" "frontend" {
@@ -13,14 +14,14 @@ resource "aws_s3_bucket" "frontend" {
   })
 }
 
-resource "aws_s3_bucket_versioning" "enabled" {
+resource "aws_s3_bucket_versioning" "frontend" {
   bucket = aws_s3_bucket.frontend.bucket
   versioning_configuration {
     status = "Enabled"
   }
 }
 
-resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+resource "aws_s3_bucket_server_side_encryption_configuration" "frontend" {
   bucket = aws_s3_bucket.frontend.bucket
 
   rule {
@@ -30,7 +31,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
   }
 }
 
-resource "aws_s3_bucket_public_access_block" "public_access" {
+resource "aws_s3_bucket_public_access_block" "frontend" {
   bucket                  = aws_s3_bucket.frontend.bucket
   block_public_acls       = true
   block_public_policy     = true
@@ -86,6 +87,11 @@ resource "aws_cloudfront_distribution" "appointment" {
 
   aliases = ["${var.environment}.appointment.day"]
 
+  logging_config {
+    bucket = "${aws_s3_bucket.request_logs.id}.s3.amazonaws.com"
+    include_cookies = true
+  }
+
   origin {
     origin_id                = "${var.name_prefix}-frontend"
     domain_name              = aws_s3_bucket.frontend.bucket_domain_name
@@ -124,9 +130,6 @@ resource "aws_cloudfront_distribution" "appointment" {
     }
 
     viewer_protocol_policy = "redirect-to-https"
-    min_ttl                = 0
-    default_ttl            = 3600
-    max_ttl                = 86400
   }
 
   ordered_cache_behavior {
@@ -144,9 +147,6 @@ resource "aws_cloudfront_distribution" "appointment" {
     }
 
     viewer_protocol_policy = "redirect-to-https"
-    min_ttl                = 0
-    default_ttl            = 3600
-    max_ttl                = 86400
 
   }
 
@@ -160,9 +160,6 @@ resource "aws_cloudfront_distribution" "appointment" {
     origin_request_policy_id = data.aws_cloudfront_origin_request_policy.AllViewer.id
 
     viewer_protocol_policy = "redirect-to-https"
-    min_ttl                = 0
-    default_ttl            = 3600
-    max_ttl                = 86400
 
   }
 
@@ -188,7 +185,7 @@ resource "aws_cloudfront_origin_access_control" "oac" {
 }
 
 resource "aws_cloudfront_function" "rewrite_api" {
-  name = "rewrite_api"
+  name = "${var.name_prefix}-rewrite-api"
   runtime = "cloudfront-js-2.0"
   code = <<EOT
   async function handler(event) {
@@ -197,25 +194,61 @@ resource "aws_cloudfront_function" "rewrite_api" {
 
     // If our api path is the first thing that's found in the uri then remove it from the uri.
     if (request.uri.indexOf(apiPath) === 0) {
-        return request.uri.replace(apiPath, "");
+        request.uri = request.uri.replace(apiPath, "");
+    }
+    // Remove the index.html default root object added by Cloudfront
+    if (request.uri.endsWith('index.html')) {
+        request.uri = request.uri.replace('index.html', "");
     }
-
     // else carry on like normal.
     return request;
   }
   EOT
 }
 
-/*resource "aws_cloudfront_function" "rewrite_apmt" {
-  name = "rewrite_apmt"
-  runtime = "cloudfront-js-2.0"
-  code = <<EOT
-  async function handler(event) {
-    const request = event.request;
-    
-    request.uri = request.uri.replace("apmt.day", "appointment.day/user")
+resource "aws_s3_bucket" "request_logs" {
+  bucket = local.log_bucket
+  force_destroy = true
 
-    return request;
+  tags = merge(var.tags, {
+    Name = "${local.bucket}-request-logs"
+  })
+}
+
+resource "aws_s3_bucket_versioning" "request_logs" {
+  bucket = aws_s3_bucket.request_logs.bucket
+  versioning_configuration {
+    status = "Enabled"
   }
-  EOT
-}*/
\ No newline at end of file
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "request_logs" {
+  bucket = aws_s3_bucket.request_logs.bucket
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "request_logs" {
+  bucket                  = aws_s3_bucket.request_logs.bucket
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_ownership_controls" "request_logs" {
+  bucket = aws_s3_bucket.request_logs.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "request_logs" {
+  depends_on = [aws_s3_bucket_ownership_controls.request_logs]
+  bucket = aws_s3_bucket.request_logs.id
+  acl = "private"
+}
\ No newline at end of file

From 6f94d6929d260d339469c0490ca3d2aaf9c5325d Mon Sep 17 00:00:00 2001
From: Melissa Autumn <melissa@thunderbird.net>
Date: Tue, 16 Apr 2024 09:49:46 -0700
Subject: [PATCH 079/298] Frontend IAC: Pass the build environment mode to yarn
 build (e.g. staging, production)

Just does staging for now.
---
 .github/workflows/deploy-frontend.yaml | 5 ++++-
 .github/workflows/primary.yaml         | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 83bc75f1d..f24be6b26 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -14,6 +14,9 @@ on:
       bucket:
         required: true
         type: string
+      build_environment:
+        required: true
+        type: string
 
 permissions:
   id-token: write
@@ -36,7 +39,7 @@ jobs:
       run: cd frontend && yarn install
 
     - name: Build project
-      run: cd frontend && yarn build
+      run: cd frontend && yarn build --mode ${{inputs.build_environment}}
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 85443d86d..a2cd19a61 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -109,5 +109,6 @@ jobs:
     with:
       aws_region: us-east-1
       bucket: tb-apmt-stage-frontend
+      build_environment: staging
     secrets: inherit
 

From ff3bafb41016b52f818e8b648b46697bc9cbc269 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 16 Apr 2024 15:32:50 -0400
Subject: [PATCH 080/298] add index.html function

---
 .github/workflows/deploy-frontend.yaml |  4 +++-
 tofu/modules/services/frontend/main.tf | 29 ++++++++++++++++++++++----
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index f24be6b26..2ed6e9e0b 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -39,7 +39,9 @@ jobs:
       run: cd frontend && yarn install
 
     - name: Build project
-      run: cd frontend && yarn build --mode ${{inputs.build_environment}}
+      run: |
+        cp /build/frontend/.env.staging.example /build/frontend/.env.staging
+        cd frontend && yarn build --mode ${{inputs.build_environment}}
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index ca9725521..7bead7be6 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -83,7 +83,7 @@ data "aws_secretsmanager_secret_version" "x_allow_value" {
 resource "aws_cloudfront_distribution" "appointment" {
   comment             = "appointment ${var.environment} frontend"
   enabled             = true
-  default_root_object = "index.html"
+  //default_root_object = "index.html"
 
   aliases = ["${var.environment}.appointment.day"]
 
@@ -197,15 +197,36 @@ resource "aws_cloudfront_function" "rewrite_api" {
         request.uri = request.uri.replace(apiPath, "");
     }
     // Remove the index.html default root object added by Cloudfront
-    if (request.uri.endsWith('index.html')) {
-        request.uri = request.uri.replace('index.html', "");
-    }
+    //if (request.uri.endsWith('index.html')) {
+    //    request.uri = request.uri.replace('index.html', "");
+    //}
     // else carry on like normal.
     return request;
   }
   EOT
 }
 
+resource "aws_cloudfront_function" "add_index" {
+  name = "${var.name_prefix}-add-index"
+  runtime = "cloudfront-js-2.0"
+  code = <<EOT
+  async function handler(event) {
+    const request = event.request;
+    const uri = request.uri;
+    
+    // Check whether the URI is missing a file name.
+    if (uri.endsWith('/')) {
+        request.uri += 'index.html';
+    } 
+    // Check whether the URI is missing a file extension.
+    else if (uri == '') {
+        request.uri += '/index.html';
+    }
+
+    return request;
+}
+  EOT
+}
 resource "aws_s3_bucket" "request_logs" {
   bucket = local.log_bucket
   force_destroy = true

From b93f604d6ed8e5fadd30bec18d2f0564c047d778 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 08:08:32 -0400
Subject: [PATCH 081/298] frontend test

---
 .github/workflows/primary.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index a2cd19a61..6b26f31c7 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -104,7 +104,6 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From 37ec671cddb161d5371cebec75d3a4f7159a50c4 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 08:12:38 -0400
Subject: [PATCH 082/298] frontend test

---
 .github/workflows/deploy-frontend.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 2ed6e9e0b..299ec5875 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -40,7 +40,7 @@ jobs:
 
     - name: Build project
       run: |
-        cp /build/frontend/.env.staging.example /build/frontend/.env.staging
+        cp frontend/.env.staging.example frontend/.env.staging
         cd frontend && yarn build --mode ${{inputs.build_environment}}
 
     - name: Configure AWS credentials

From 8bd944dc8d9c174155c6b07c6ef0b6a6ad6e9f43 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 08:17:30 -0400
Subject: [PATCH 083/298] temporarily run all steps on add-tf-iac branch

---
 .github/workflows/primary.yaml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 6b26f31c7..24315d3fd 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -55,7 +55,7 @@ jobs:
 
   apply-iac:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -70,12 +70,12 @@ jobs:
 
   ci-tests:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
+    if: github.ref == 'refs/heads/add-tf-iac' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
     uses: ./.github/workflows/ci-tests.yaml
 
   verify-backend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -90,6 +90,7 @@ jobs:
 
   deploy-backend:
     needs: detect-changes
+    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-backend == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -104,6 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
+    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From 4740487fc8de903b281b5caf3718f6627b3036db Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 08:26:02 -0400
Subject: [PATCH 084/298] fix apply-iac workflow & production backend-service

---
 .github/workflows/apply-iac.yaml                     | 12 ++++++------
 .../services/backend-service/terragrunt.hcl          |  2 ++
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/apply-iac.yaml b/.github/workflows/apply-iac.yaml
index f531f3c02..64a0ef0b8 100644
--- a/.github/workflows/apply-iac.yaml
+++ b/.github/workflows/apply-iac.yaml
@@ -21,7 +21,7 @@ permissions:
   contents: read
 
 jobs:
-  validate-iac:
+  apply-iac:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -50,7 +50,7 @@ jobs:
         run: |
           terragrunt init
           terragrunt validate
-          terragrunt plan tfplan
+          terragrunt plan -out tfplan
           terragrunt apply tfplan
 
       - name: backend-infra
@@ -58,7 +58,7 @@ jobs:
         run: |
           terragrunt init
           terragrunt validate
-          terragrunt plan
+          terragrunt plan -out tfplan
           terragrunt apply tfplan
 
       - name: cache
@@ -66,7 +66,7 @@ jobs:
         run: |
           terragrunt init
           terragrunt validate
-          terragrunt plan
+          terragrunt plan -out tfplan
           terragrunt apply tfplan
 
       - name: database
@@ -74,7 +74,7 @@ jobs:
         run: |
           terragrunt init
           terragrunt validate
-          terragrunt plan
+          terragrunt plan -out tfplan
           terragrunt apply tfplan
           
       - name: frontend
@@ -82,5 +82,5 @@ jobs:
         run: |
           terragrunt init
           terragrunt validate
-          terragrunt plan
+          terragrunt plan -out tfplan
           terragrunt apply tfplan
diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index 8387eec5e..fff6fe397 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -18,6 +18,7 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     private_subnets = ["subnet-mocksubnet1234567"]
+    ecs_execution_role = "arn:mockrolearn"
   }
 }
 
@@ -50,5 +51,6 @@ inputs = {
   target_group_arn = dependency.backend-infra.outputs.target_group_arn
   security_group   = dependency.backend-infra.outputs.security_group_id
   ecs_cluster      = dependency.backend-infra.outputs.cluster_id
+  task_execution_role = dependency.vpc.outputs.ecs_execution_role
   tags             = local.tags
 }
\ No newline at end of file

From d0c0c6b2e36ace8c6930c68d06907a7be3c9c376 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 08:32:33 -0400
Subject: [PATCH 085/298] fix mock execution role & temporailiry disable
 verify-iac for add-tf-iac branch

---
 .github/workflows/primary.yaml                                | 4 ++--
 .../production/services/backend-service/terragrunt.hcl        | 2 +-
 .../stage/services/backend-service/terragrunt.hcl             | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 24315d3fd..c2ab73e2c 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -40,7 +40,7 @@ jobs:
 
   verify-iac:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref != 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -75,7 +75,7 @@ jobs:
 
   verify-backend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref != 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index fff6fe397..9db40c45d 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -18,7 +18,7 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     private_subnets = ["subnet-mocksubnet1234567"]
-    ecs_execution_role = "arn:mockrolearn"
+    ecs_execution_role = "arn:aws:iam::768512802988:role/mockrolearn"
   }
 }
 
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index ef29569ad..196527cc9 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -18,7 +18,7 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     private_subnets    = ["subnet-mocksubnet1234567"]
-    ecs_execution_role = "arn:mockrolearn"
+    ecs_execution_role = "arn:aws:iam::768512802988:role/mockrolearn"
   }
 }
 

From 2236f6460c0f6423b3d0a2626e47183d50e8383d Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 09:58:42 -0400
Subject: [PATCH 086/298] frontend build environment

---
 .github/workflows/deploy-frontend.yaml |  2 +-
 tofu/modules/services/frontend/main.tf | 13 ++++++++-----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 299ec5875..fbe5db6fc 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -40,7 +40,7 @@ jobs:
 
     - name: Build project
       run: |
-        cp frontend/.env.staging.example frontend/.env.staging
+        cp frontend/.env.${{inputs.build_environment}}.example frontend/.env.${{inputs.build_environment}}
         cd frontend && yarn build --mode ${{inputs.build_environment}}
 
     - name: Configure AWS credentials
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index 7bead7be6..51357e690 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -72,6 +72,10 @@ data "aws_cloudfront_cache_policy" "CachingDisabled" {
   name = "Managed-CachingDisabled"
 }
 
+data "aws_cloudfront_cache_policy" "CachingOptimized" {
+  name = "Managed-CachingOptimized"
+}
+
 data "aws_cloudfront_origin_request_policy" "AllViewer" {
   name = "Managed-AllViewer"
 } 
@@ -121,12 +125,11 @@ resource "aws_cloudfront_distribution" "appointment" {
     cached_methods   = ["GET", "HEAD"]
     target_origin_id = "${var.name_prefix}-frontend"
 
-    forwarded_values {
-      query_string = false
+    cache_policy_id = data.aws_cloudfront_cache_policy.CachingOptimized.id
 
-      cookies {
-        forward = "none"
-      }
+    function_association {
+      event_type = "viewer-request"
+      function_arn = aws_cloudfront_function.add_index.arn
     }
 
     viewer_protocol_policy = "redirect-to-https"

From b37eb145e6292d67bac6cbcfed9c07509956f8b9 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 13:41:39 -0400
Subject: [PATCH 087/298] replacing DB secrets

---
 .github/workflows/primary.yaml                |  1 +
 .../data-store/database/.terraform.lock.hcl   | 26 ++++++-------
 .../backend-infra/.terraform.lock.hcl         | 26 ++++++-------
 tofu/modules/data-store/database/main.tf      |  2 +-
 .../backend-infra/.terraform.lock.hcl         | 37 +++++++++++++++++++
 tofu/modules/services/backend-infra/main.tf   | 19 +++++++++-
 tofu/modules/services/backend-service/main.tf |  2 +-
 7 files changed, 84 insertions(+), 29 deletions(-)
 create mode 100644 tofu/modules/services/backend-infra/.terraform.lock.hcl

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index c2ab73e2c..5d7f516a5 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -35,6 +35,7 @@ jobs:
               - '.github/workflows/**'
             run-backend:
               - 'backend/**'
+                'tofu/modules/services/backend-service/**'
             run-frontend:
               - 'frontend/**'
 
diff --git a/tofu/environments/stage/data-store/database/.terraform.lock.hcl b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
index 520f9bfec..1e3000f45 100644
--- a/tofu/environments/stage/data-store/database/.terraform.lock.hcl
+++ b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
@@ -3,7 +3,7 @@
 
 provider "registry.opentofu.org/hashicorp/aws" {
   version     = "5.41.0"
-  constraints = ">= 5.36.0"
+  constraints = ">= 5.36.0, 5.41.0"
   hashes = [
     "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
     "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
@@ -20,19 +20,19 @@ provider "registry.opentofu.org/hashicorp/aws" {
 }
 
 provider "registry.opentofu.org/hashicorp/random" {
-  version     = "3.6.0"
+  version     = "3.6.1"
   constraints = ">= 3.1.0"
   hashes = [
-    "h1:6QMZ6JACl+V2t8daN5GTlw22EtG7nhc3BbkbJDw2a5M=",
-    "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75",
-    "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3",
-    "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23",
-    "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2",
-    "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9",
-    "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a",
-    "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4",
-    "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24",
-    "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4",
-    "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685",
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
   ]
 }
diff --git a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
index c2f80a665..6deed94e4 100644
--- a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
@@ -3,7 +3,7 @@
 
 provider "registry.opentofu.org/hashicorp/aws" {
   version     = "5.41.0"
-  constraints = ">= 4.66.1, >= 5.33.0"
+  constraints = ">= 4.66.1, >= 5.33.0, 5.41.0"
   hashes = [
     "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
     "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
@@ -20,18 +20,18 @@ provider "registry.opentofu.org/hashicorp/aws" {
 }
 
 provider "registry.opentofu.org/hashicorp/random" {
-  version = "3.6.0"
+  version = "3.6.1"
   hashes = [
-    "h1:6QMZ6JACl+V2t8daN5GTlw22EtG7nhc3BbkbJDw2a5M=",
-    "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75",
-    "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3",
-    "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23",
-    "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2",
-    "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9",
-    "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a",
-    "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4",
-    "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24",
-    "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4",
-    "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685",
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
   ]
 }
diff --git a/tofu/modules/data-store/database/main.tf b/tofu/modules/data-store/database/main.tf
index a71d703f0..43782d0d4 100644
--- a/tofu/modules/data-store/database/main.tf
+++ b/tofu/modules/data-store/database/main.tf
@@ -1,5 +1,5 @@
 data "aws_secretsmanager_secret" "db_secrets" {
-  arn = "arn:aws:secretsmanager:${var.region}:768512802988:secret:staging/appointment/db-temp-loy40P"
+  arn = "arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-stage-db-secret-V0syHj"
 }
 data "aws_secretsmanager_secret_version" "current" {
   secret_id = data.aws_secretsmanager_secret.db_secrets.id
diff --git a/tofu/modules/services/backend-infra/.terraform.lock.hcl b/tofu/modules/services/backend-infra/.terraform.lock.hcl
new file mode 100644
index 000000000..181a05a23
--- /dev/null
+++ b/tofu/modules/services/backend-infra/.terraform.lock.hcl
@@ -0,0 +1,37 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.45.0"
+  constraints = ">= 4.66.1, >= 5.33.0"
+  hashes = [
+    "h1:3zU3yp1SY+8vHAQvhfhYdPnFYQpFwXXXar+hOrnofzQ=",
+    "zh:1d71c406aeaf4ba762eb62e4595ab9c9f8da1a2c9b74bb4277c0acfd9678ae65",
+    "zh:3b00b13154eadedb37bca99bf7cbd556fa9472e6900c970effa17a270ee9f721",
+    "zh:6f264e8b70153925ac8abfa83ebffe2c2d5a27ab5557a6b16124269b08ac2441",
+    "zh:80f7d552faf5c43d7dc22c6c1f7e70557b9f01c67db07abbb0330d5d3fc0e464",
+    "zh:863a2a2e6ae5b42fc46b209d8f2761c882d46aca481a8c49ef221d290b4fd88e",
+    "zh:8e3bddeb2da7e6bcfd0b0221a083778d2f7fc5cd64f55de7d8d79bd1f7378bae",
+    "zh:c726104e46cd743bbf240101d7975f44091d893b6e97b46070df0041779b04d2",
+    "zh:db73a89b462fdd6eb6f32e6ed464430a895fc2e54fb629e8b99773fc32a6a7a8",
+    "zh:e35179b89eba358f521ffd4546345b4d0683ca3364a9deb8f3b7b4bf60be6f02",
+    "zh:e7b54a0faecd34a9c73729d1d1f0cfc1b8f56bae789f95987002616f1265ce72",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version = "3.6.1"
+  hashes = [
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
+  ]
+}
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 1014d3d93..d8aa7d396 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -20,8 +20,16 @@ resource "random_string" "x_allow_value" {
   upper = true
 }
 
+resource "random_string" "x_allow_suffix" {
+  length = 8
+  lower = true
+  numeric = false
+  special = false
+  upper = true
+}
+
 resource "aws_secretsmanager_secret" "x_allow_secret" {
-  name = "${var.name_prefix}-x-allow-secret"
+  name = "${var.name_prefix}-x-allow-secret-${random_string.x_allow_suffix.result}"
 }
 
 resource "aws_secretsmanager_secret_version" "x_allow_secret_version" {
@@ -220,4 +228,13 @@ resource "aws_vpc_security_group_egress_rule" "allow_tls_to_s3_endpoint" {
   to_port           = 443
   ip_protocol       = "tcp"
   prefix_list_id    = data.aws_prefix_list.s3.id
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_all" {
+  security_group_id = aws_security_group.backend.id
+  description       = "TLS to internet"
+  from_port         = 443
+  to_port           = 443
+  ip_protocol       = "tcp"
+  cidr_ipv4 = "0.0.0.0/0"
 }
\ No newline at end of file
diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index 10a4cd5de..d10fe128a 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -110,7 +110,7 @@ resource "aws_ecs_task_definition" "backend" {
       secrets = [
         {
           "name" : "DATABASE_SECRETS",
-          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-mysql-Ixf6qD"
+          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-stage-db-secret-V0syHj"
         },
         {
           "name" : "DB_ENC_SECRET",

From 00b018ad6eb67aae33e8106b63f83a34e70f57b2 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 13:43:22 -0400
Subject: [PATCH 088/298] workflow typo fix

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 5d7f516a5..2d5452902 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -35,7 +35,7 @@ jobs:
               - '.github/workflows/**'
             run-backend:
               - 'backend/**'
-                'tofu/modules/services/backend-service/**'
+              - 'tofu/modules/services/backend-service/**'
             run-frontend:
               - 'frontend/**'
 

From cf53efbc9f03289e1df82fb2dece8c8123526157 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 13:56:13 -0400
Subject: [PATCH 089/298] improve x-allow secret handling

---
 tofu/environments/stage/services/frontend/terragrunt.hcl | 1 +
 tofu/modules/services/backend-infra/outputs.tf           | 4 ++++
 tofu/modules/services/frontend/main.tf                   | 8 ++------
 tofu/modules/services/frontend/variables.tf              | 5 +++++
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
index aecb69f5e..32f72f487 100644
--- a/tofu/environments/stage/services/frontend/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -43,4 +43,5 @@ inputs = {
   ssl_cert         = local.ssl_cert
   backend_id       = dependency.backend.outputs.alb_id
   backend_dns_name = dependency.backend.outputs.dns_name
+  x_allow_secret = dependency.backend.outputs.x_allow_secret
 }
\ No newline at end of file
diff --git a/tofu/modules/services/backend-infra/outputs.tf b/tofu/modules/services/backend-infra/outputs.tf
index 7e8a9217b..ccd04ad0d 100644
--- a/tofu/modules/services/backend-infra/outputs.tf
+++ b/tofu/modules/services/backend-infra/outputs.tf
@@ -24,4 +24,8 @@ output "log_group" {
 
 output "cluster_id" {
   value = module.ecs_cluster.id
+}
+
+output "x_allow_secret" {
+  value = aws_secretsmanager_secret.x_allow_secret.name
 }
\ No newline at end of file
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index 51357e690..22ab43434 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -81,7 +81,7 @@ data "aws_cloudfront_origin_request_policy" "AllViewer" {
 } 
 
 data "aws_secretsmanager_secret_version" "x_allow_value" {
-  secret_id = "${var.name_prefix}-x-allow-secret"
+  secret_id = var.x_allow_secret
 }
 
 resource "aws_cloudfront_distribution" "appointment" {
@@ -199,10 +199,6 @@ resource "aws_cloudfront_function" "rewrite_api" {
     if (request.uri.indexOf(apiPath) === 0) {
         request.uri = request.uri.replace(apiPath, "");
     }
-    // Remove the index.html default root object added by Cloudfront
-    //if (request.uri.endsWith('index.html')) {
-    //    request.uri = request.uri.replace('index.html', "");
-    //}
     // else carry on like normal.
     return request;
   }
@@ -222,7 +218,7 @@ resource "aws_cloudfront_function" "add_index" {
         request.uri += 'index.html';
     } 
     // Check whether the URI is missing a file extension.
-    else if (uri == '') {
+    else if (!uri.includes('.')) {
         request.uri += '/index.html';
     }
 
diff --git a/tofu/modules/services/frontend/variables.tf b/tofu/modules/services/frontend/variables.tf
index 46e64a471..7615aaf3d 100644
--- a/tofu/modules/services/frontend/variables.tf
+++ b/tofu/modules/services/frontend/variables.tf
@@ -37,3 +37,8 @@ variable "backend_dns_name" {
   description = "Backend DNS name"
   type        = string
 }
+
+variable "x_allow_secret" {
+  description = "X-Allow header secret"
+  type = string
+}
\ No newline at end of file

From f1b4622db9482d5da84c0a897529a7de876e64bb Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 14:08:17 -0400
Subject: [PATCH 090/298] index function fix

---
 tofu/modules/services/frontend/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index 22ab43434..907054943 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -219,7 +219,7 @@ resource "aws_cloudfront_function" "add_index" {
     } 
     // Check whether the URI is missing a file extension.
     else if (!uri.includes('.')) {
-        request.uri += '/index.html';
+        request.uri = '/index.html';
     }
 
     return request;

From 1d5d5377d70909ec19e08474a9cdf7acf2fe64c8 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 15:36:26 -0400
Subject: [PATCH 091/298] db secrets access & tls requirement

---
 tofu/modules/data-store/database/main.tf | 2 +-
 tofu/modules/network/vpc/main.tf         | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/tofu/modules/data-store/database/main.tf b/tofu/modules/data-store/database/main.tf
index 43782d0d4..ba8589f9c 100644
--- a/tofu/modules/data-store/database/main.tf
+++ b/tofu/modules/data-store/database/main.tf
@@ -45,7 +45,7 @@ module "db" {
   parameters = [
     {
       name  = "require_secure_transport"
-      value = 1
+      value = 0
     }
   ]
 
diff --git a/tofu/modules/network/vpc/main.tf b/tofu/modules/network/vpc/main.tf
index cf07f88da..015a96f36 100644
--- a/tofu/modules/network/vpc/main.tf
+++ b/tofu/modules/network/vpc/main.tf
@@ -132,7 +132,8 @@ resource "aws_iam_policy" "appointment_secrets_policy" {
                 "secretsmanager:GetSecretValue"
             ],
             "Resource": [
-              "arn:aws:secretsmanager:${var.region}:768512802988:secret:${var.environment}/appointment/*"
+              "arn:aws:secretsmanager:${var.region}:768512802988:secret:staging/appointment/*",
+              "arn:aws:secretsmanager:${var.region}:768512802988:secret:${var.name_prefix}-db-secret-*"
             ]
         }
     ]

From ca20a4234f21ae5f83ce5198c543fd360855d245 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 12:38:01 -0400
Subject: [PATCH 092/298] fix rewrite function

---
 tofu/README.md                         | 16 ++++++------
 tofu/modules/services/frontend/main.tf | 36 ++++++++++----------------
 2 files changed, 21 insertions(+), 31 deletions(-)

diff --git a/tofu/README.md b/tofu/README.md
index 3a4d7b48a..fdf2be4ed 100644
--- a/tofu/README.md
+++ b/tofu/README.md
@@ -1,4 +1,4 @@
-## Tooling
+# Tooling
 
 Code was written and tested with the following (these versions are enforced in code as minimums):
 
@@ -56,7 +56,7 @@ This is deployed individually before any other stacks and generally should not c
 
 1. tofu/environments/\<env>/terraform/tfbackend
    1. `cd tofu/environments/<env>/terraform/tfbackend`
-   2. `terragrun init`
+   2. `terragrunt init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
@@ -67,31 +67,31 @@ These should be deployed in the following order and generally will only be updat
 
 1. tofu/environments/\<env>/network/vpc
    1. `cd tofu/environments/<env>/network/vpc`
-   2. `terragrun init`
+   2. `terragrunt init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
 2. tofu/environments/\<env>/services/backend-infra
    1. `cd tofu/environments/<env>/services/backend-infra`
-   2. `terragrun init`
+   2. `terragrunt init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
 3. tofu/environments/\<env>/data-store/cache
    1. `cd tofu/environments/<env>/datastore/cache`
-   2. `terragrun init`
+   2. `terragrunt init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
 4. tofu/environments/\<env>/data-store/database
    1. `cd tofu/environments/<env>/data-store/database`
-   2. `terragrun init`
+   2. `terragrunt init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
 5. tofu/environments/\<end>/services/frontend
    1. `cd tofu/environments/<env>/services/frontend`
-   2. `terragrun init`
+   2. `terragrunt init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
@@ -100,7 +100,7 @@ These should be deployed in the following order and generally will only be updat
 
 1. tofu/environments/\<env>/services/backend-service
    1. `cd tofu/environments/<env>/services/backend-service`
-   2. `terragrun init`
+   2. `terragrunt init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index 907054943..a4d61dea3 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -129,7 +129,7 @@ resource "aws_cloudfront_distribution" "appointment" {
 
     function_association {
       event_type = "viewer-request"
-      function_arn = aws_cloudfront_function.add_index.arn
+      function_arn = aws_cloudfront_function.rewrite_api.arn
     }
 
     viewer_protocol_policy = "redirect-to-https"
@@ -162,6 +162,11 @@ resource "aws_cloudfront_distribution" "appointment" {
     cache_policy_id = data.aws_cloudfront_cache_policy.CachingDisabled.id
     origin_request_policy_id = data.aws_cloudfront_origin_request_policy.AllViewer.id
 
+    function_association {
+      event_type = "viewer-request"
+      function_arn = aws_cloudfront_function.rewrite_api.arn
+    }
+
     viewer_protocol_policy = "redirect-to-https"
 
   }
@@ -194,38 +199,23 @@ resource "aws_cloudfront_function" "rewrite_api" {
   async function handler(event) {
     const request = event.request;
     const apiPath = "/api/v1";
+    const ignorePaths = ['/fxa', '/assets', '/appointment_logo.svg'];
+    const pathCheckFn = (path) => request.uri.startsWith(path);
 
     // If our api path is the first thing that's found in the uri then remove it from the uri.
     if (request.uri.indexOf(apiPath) === 0) {
-        request.uri = request.uri.replace(apiPath, "");
+      request.uri = request.uri.replace(apiPath, "");
+    } else if (!ignorePaths.some(pathCheckFn)) {
+      // If we're not in one of the ignorePaths then force them to /index.html
+      request.uri = '/index.html';
     }
+
     // else carry on like normal.
     return request;
   }
   EOT
 }
 
-resource "aws_cloudfront_function" "add_index" {
-  name = "${var.name_prefix}-add-index"
-  runtime = "cloudfront-js-2.0"
-  code = <<EOT
-  async function handler(event) {
-    const request = event.request;
-    const uri = request.uri;
-    
-    // Check whether the URI is missing a file name.
-    if (uri.endsWith('/')) {
-        request.uri += 'index.html';
-    } 
-    // Check whether the URI is missing a file extension.
-    else if (!uri.includes('.')) {
-        request.uri = '/index.html';
-    }
-
-    return request;
-}
-  EOT
-}
 resource "aws_s3_bucket" "request_logs" {
   bucket = local.log_bucket
   force_destroy = true

From a90285129a449a63dd40ba1bd395130643d7d0d5 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 12:40:20 -0400
Subject: [PATCH 093/298] add smtp outbound

---
 tofu/modules/services/backend-infra/main.tf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index d8aa7d396..5c4597f7b 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -237,4 +237,13 @@ resource "aws_vpc_security_group_egress_rule" "allow_tls_to_all" {
   to_port           = 443
   ip_protocol       = "tcp"
   cidr_ipv4 = "0.0.0.0/0"
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_smtp_to_all" {
+  security_group_id = aws_security_group.backend.id
+  description       = "smtp to internet"
+  from_port         = 587
+  to_port           = 587
+  ip_protocol       = "tcp"
+  cidr_ipv4 = "0.0.0.0/0"
 }
\ No newline at end of file

From b5e67429a784b0deb4f930332d519bafb28c8910 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 12:56:58 -0400
Subject: [PATCH 094/298] env env variables

---
 .github/workflows/primary.yaml | 38 +++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 2d5452902..e2132e4d0 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -41,75 +41,75 @@ jobs:
 
   verify-iac:
     needs: detect-changes
-    if: github.ref != 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
         environment: [stage, production]
     uses: ./.github/workflows/verify-iac.yaml
     with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
+      tf_version: $TF_VERSION
+      tg_version: $TG_VERSION
+      aws_region: $AWS_REGION
       environment: ${{ matrix.environment }}
     secrets: inherit
 
   apply-iac:
     needs: detect-changes
-    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
         environment: [stage]
     uses: ./.github/workflows/apply-iac.yaml
     with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
+      tf_version: $TF_VERSION
+      tg_version: $TG_VERSION
+      aws_region: $AWS_REGION
       environment: ${{ matrix.environment }}
     secrets: inherit
 
   ci-tests:
     needs: detect-changes
-    if: github.ref == 'refs/heads/add-tf-iac' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
+    if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
     uses: ./.github/workflows/ci-tests.yaml
 
   verify-backend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
         environment: [stage, production]
     uses: ./.github/workflows/verify-backend.yaml
     with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
+      tf_version: $TF_VERSION
+      tg_version: $TG_VERSION
+      aws_region: $AWS_REGION
       environment: ${{ matrix.environment }}
     secrets: inherit
 
   deploy-backend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-backend == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
     strategy:
       max-parallel: 1
       matrix:
         environment: [stage]
     uses: ./.github/workflows/deploy-backend.yaml
     with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
+      tf_version: $TF_VERSION
+      tg_version: $TG_VERSION
+      aws_region: $AWS_REGION
       environment: ${{ matrix.environment }}
     secrets: inherit
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
-      aws_region: us-east-1
+      aws_region: $AWS_REGION
       bucket: tb-apmt-stage-frontend
       build_environment: staging
     secrets: inherit

From 44afb020a2c4e5ba0c4d25ed7195d1bbf45a4835 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:07:51 -0400
Subject: [PATCH 095/298] remove env context from with key

---
 .github/workflows/primary.yaml | 31 +++++++++++++------------------
 1 file changed, 13 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index e2132e4d0..aaa0a47f3 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -11,11 +11,6 @@ permissions:
   id-token: write
   contents: read
 
-env:
-  TF_VERSION: '1.6.2'
-  TG_VERSION: '0.55.15'
-  AWS_REGION: us-east-1
-
 jobs:
   detect-changes:
     runs-on: ubuntu-latest
@@ -48,9 +43,9 @@ jobs:
         environment: [stage, production]
     uses: ./.github/workflows/verify-iac.yaml
     with:
-      tf_version: $TF_VERSION
-      tg_version: $TG_VERSION
-      aws_region: $AWS_REGION
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
     secrets: inherit
 
@@ -63,9 +58,9 @@ jobs:
         environment: [stage]
     uses: ./.github/workflows/apply-iac.yaml
     with:
-      tf_version: $TF_VERSION
-      tg_version: $TG_VERSION
-      aws_region: $AWS_REGION
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
     secrets: inherit
 
@@ -83,9 +78,9 @@ jobs:
         environment: [stage, production]
     uses: ./.github/workflows/verify-backend.yaml
     with:
-      tf_version: $TF_VERSION
-      tg_version: $TG_VERSION
-      aws_region: $AWS_REGION
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
     secrets: inherit
 
@@ -98,9 +93,9 @@ jobs:
         environment: [stage]
     uses: ./.github/workflows/deploy-backend.yaml
     with:
-      tf_version: $TF_VERSION
-      tg_version: $TG_VERSION
-      aws_region: $AWS_REGION
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
     secrets: inherit
 
@@ -109,7 +104,7 @@ jobs:
     if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
-      aws_region: $AWS_REGION
+      aws_region: us-east-1
       bucket: tb-apmt-stage-frontend
       build_environment: staging
     secrets: inherit

From d74d6ee981711814b057658c8fefa2eb76b39d12 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:18:09 -0400
Subject: [PATCH 096/298] terragrunt upgrade

---
 .github/workflows/apply-iac.yaml      | 10 +++++-----
 .github/workflows/deploy-backend.yaml |  2 +-
 .github/workflows/verify-backend.yaml |  2 +-
 .github/workflows/verify-iac.yaml     | 10 +++++-----
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/apply-iac.yaml b/.github/workflows/apply-iac.yaml
index 64a0ef0b8..14056124d 100644
--- a/.github/workflows/apply-iac.yaml
+++ b/.github/workflows/apply-iac.yaml
@@ -48,7 +48,7 @@ jobs:
       - name: vpc
         working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
           terragrunt apply tfplan
@@ -56,7 +56,7 @@ jobs:
       - name: backend-infra
         working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
           terragrunt apply tfplan
@@ -64,7 +64,7 @@ jobs:
       - name: cache
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
           terragrunt apply tfplan
@@ -72,7 +72,7 @@ jobs:
       - name: database
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
           terragrunt apply tfplan
@@ -80,7 +80,7 @@ jobs:
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
           terragrunt apply tfplan
diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
index a2e3f8dce..d0c511d65 100644
--- a/.github/workflows/deploy-backend.yaml
+++ b/.github/workflows/deploy-backend.yaml
@@ -77,7 +77,7 @@ jobs:
     - name: backend-service
       working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
       run: |
-        terragrunt init
+        terragrunt init -upgrade
         terragrunt validate
         terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
         terragrunt apply tfplan
diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
index e8f28488d..db05a4534 100644
--- a/.github/workflows/verify-backend.yaml
+++ b/.github/workflows/verify-backend.yaml
@@ -68,7 +68,7 @@ jobs:
     - name: backend-service
       working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
       run: |
-        terragrunt init
+        terragrunt init -upgrade
         terragrunt validate
         terragrunt plan -var 'image=${{env.IMAGE}}'
 
diff --git a/.github/workflows/verify-iac.yaml b/.github/workflows/verify-iac.yaml
index fe1767803..3ac7fa3f1 100644
--- a/.github/workflows/verify-iac.yaml
+++ b/.github/workflows/verify-iac.yaml
@@ -49,7 +49,7 @@ jobs:
         working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
         continue-on-error: true
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan
 
@@ -57,7 +57,7 @@ jobs:
         working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
         continue-on-error: true
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan
 
@@ -65,7 +65,7 @@ jobs:
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
         continue-on-error: true
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan
 
@@ -73,13 +73,13 @@ jobs:
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
         continue-on-error: true
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan
           
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan

From 6250e45c6e3e7e53293c38ae87268598097a7960 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:36:51 -0400
Subject: [PATCH 097/298] relax provider versions

---
 tofu/environments/stage/environment.hcl | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index df71b9023..176dc0c95 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -17,8 +17,11 @@ generate "versions" {
       required_providers {
         aws = {
           source = "hashicorp/aws"
-          version = "5.41.0"
+          version = "~> 5.41.0"
         }
+        random = {
+          source = "hashicorp/random"
+          version = "~> 3.6.1"
       }
     }
 EOF

From 12d44269a91ea5bfbcb32758e6e42e5f28cffcee Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:38:00 -0400
Subject: [PATCH 098/298] relax provider versions

---
 tofu/environments/stage/environment.hcl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index 176dc0c95..d1d74b0b2 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -22,6 +22,7 @@ generate "versions" {
         random = {
           source = "hashicorp/random"
           version = "~> 3.6.1"
+        }
       }
     }
 EOF

From 0dd40af785b16eca566d222e634557f2e4ad1eaf Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:39:57 -0400
Subject: [PATCH 099/298] relax provider versions

---
 tofu/environments/stage/environment.hcl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index d1d74b0b2..b53daf780 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -17,11 +17,11 @@ generate "versions" {
       required_providers {
         aws = {
           source = "hashicorp/aws"
-          version = "~> 5.41.0"
+          version = "~>= 5.41.0"
         }
         random = {
           source = "hashicorp/random"
-          version = "~> 3.6.1"
+          version = "~>= 3.6.1"
         }
       }
     }

From e55e464be6ed49ac0d863c9a5bacdca73dad1f1c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:42:51 -0400
Subject: [PATCH 100/298] adjusting provider requirements

---
 tofu/environments/stage/environment.hcl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index b53daf780..f0f86d30a 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -17,11 +17,11 @@ generate "versions" {
       required_providers {
         aws = {
           source = "hashicorp/aws"
-          version = "~>= 5.41.0"
+          version = "~> 5.41"
         }
         random = {
           source = "hashicorp/random"
-          version = "~>= 3.6.1"
+          version = "~> 3.6"
         }
       }
     }

From f167674d2b2cabb4e9cb58054760aef6fe2959c8 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:53:09 -0400
Subject: [PATCH 101/298] adjusting provider requirements

---
 tofu/environments/production/services/frontend/terragrunt.hcl | 2 ++
 tofu/environments/stage/environment.hcl                       | 2 +-
 tofu/environments/stage/services/frontend/terragrunt.hcl      | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index aecb69f5e..e08624e9c 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -19,6 +19,7 @@ dependency "backend" {
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"
+    x_allow_secret = "mock_secret"
   }
 }
 
@@ -43,4 +44,5 @@ inputs = {
   ssl_cert         = local.ssl_cert
   backend_id       = dependency.backend.outputs.alb_id
   backend_dns_name = dependency.backend.outputs.dns_name
+  x_allow_secret = dependency.backend.outputs.x_allow_secret
 }
\ No newline at end of file
diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index f0f86d30a..73ed9973b 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -17,7 +17,7 @@ generate "versions" {
       required_providers {
         aws = {
           source = "hashicorp/aws"
-          version = "~> 5.41"
+          version = "~> 5.40"
         }
         random = {
           source = "hashicorp/random"
diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
index 32f72f487..e08624e9c 100644
--- a/tofu/environments/stage/services/frontend/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -19,6 +19,7 @@ dependency "backend" {
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"
+    x_allow_secret = "mock_secret"
   }
 }
 

From c37047d87eb49dc516f5c511fc97d19fd03926e9 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 14:07:54 -0400
Subject: [PATCH 102/298] adjusting provider requirements

---
 tofu/environments/stage/environment.hcl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index 73ed9973b..8599a965c 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -17,11 +17,11 @@ generate "versions" {
       required_providers {
         aws = {
           source = "hashicorp/aws"
-          version = "~> 5.40"
+          version = ">= 5.41.0"
         }
         random = {
           source = "hashicorp/random"
-          version = "~> 3.6"
+          version = ">= 3.6.1"
         }
       }
     }

From d388cf6337e20b207073557ab96c453f103cc608 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 14:41:09 -0400
Subject: [PATCH 103/298] adjusting provider requirements

---
 .../services/backend-infra/terragrunt.hcl     |  1 +
 tofu/environments/stage/environment.hcl       |  2 +-
 .../backend-service/.terraform.lock.hcl       | 44 +++++++++++++------
 3 files changed, 33 insertions(+), 14 deletions(-)

diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index 5ed033407..93beded47 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -47,5 +47,6 @@ inputs = {
   secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
   logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
   database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
+  ssl_cert                        = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
   tags                            = local.tags
 }
\ No newline at end of file
diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index 8599a965c..0bc38d7b5 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -17,7 +17,7 @@ generate "versions" {
       required_providers {
         aws = {
           source = "hashicorp/aws"
-          version = ">= 5.41.0"
+          version = ">= 5.40.0"
         }
         random = {
           source = "hashicorp/random"
diff --git a/tofu/environments/stage/services/backend-service/.terraform.lock.hcl b/tofu/environments/stage/services/backend-service/.terraform.lock.hcl
index 373d6d9e3..1a0a0b239 100644
--- a/tofu/environments/stage/services/backend-service/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/backend-service/.terraform.lock.hcl
@@ -2,19 +2,37 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
-  constraints = "5.41.0"
+  version     = "5.46.0"
+  constraints = ">= 5.40.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version     = "3.6.1"
+  constraints = ">= 3.6.1"
+  hashes = [
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
   ]
 }

From e16a16d2032d619f3a5b94ba8dbe8c461a3c9026 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 15:04:06 -0400
Subject: [PATCH 104/298] adjusting provider versions

---
 tofu/environments/stage/environment.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index 0bc38d7b5..13b0a99d8 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -17,7 +17,7 @@ generate "versions" {
       required_providers {
         aws = {
           source = "hashicorp/aws"
-          version = ">= 5.40.0"
+          version = ">= 5.46.0"
         }
         random = {
           source = "hashicorp/random"

From 1722f7e9d5237bd9e0b3a681f097309d4d53bfa1 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 15:15:32 -0400
Subject: [PATCH 105/298] removed lock file

---
 .../backend-infra/.terraform.lock.hcl         | 37 -------------------
 1 file changed, 37 deletions(-)
 delete mode 100644 tofu/modules/services/backend-infra/.terraform.lock.hcl

diff --git a/tofu/modules/services/backend-infra/.terraform.lock.hcl b/tofu/modules/services/backend-infra/.terraform.lock.hcl
deleted file mode 100644
index 181a05a23..000000000
--- a/tofu/modules/services/backend-infra/.terraform.lock.hcl
+++ /dev/null
@@ -1,37 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.45.0"
-  constraints = ">= 4.66.1, >= 5.33.0"
-  hashes = [
-    "h1:3zU3yp1SY+8vHAQvhfhYdPnFYQpFwXXXar+hOrnofzQ=",
-    "zh:1d71c406aeaf4ba762eb62e4595ab9c9f8da1a2c9b74bb4277c0acfd9678ae65",
-    "zh:3b00b13154eadedb37bca99bf7cbd556fa9472e6900c970effa17a270ee9f721",
-    "zh:6f264e8b70153925ac8abfa83ebffe2c2d5a27ab5557a6b16124269b08ac2441",
-    "zh:80f7d552faf5c43d7dc22c6c1f7e70557b9f01c67db07abbb0330d5d3fc0e464",
-    "zh:863a2a2e6ae5b42fc46b209d8f2761c882d46aca481a8c49ef221d290b4fd88e",
-    "zh:8e3bddeb2da7e6bcfd0b0221a083778d2f7fc5cd64f55de7d8d79bd1f7378bae",
-    "zh:c726104e46cd743bbf240101d7975f44091d893b6e97b46070df0041779b04d2",
-    "zh:db73a89b462fdd6eb6f32e6ed464430a895fc2e54fb629e8b99773fc32a6a7a8",
-    "zh:e35179b89eba358f521ffd4546345b4d0683ca3364a9deb8f3b7b4bf60be6f02",
-    "zh:e7b54a0faecd34a9c73729d1d1f0cfc1b8f56bae789f95987002616f1265ce72",
-  ]
-}
-
-provider "registry.opentofu.org/hashicorp/random" {
-  version = "3.6.1"
-  hashes = [
-    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
-    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
-    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
-    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
-    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
-    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
-    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
-    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
-    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
-    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
-    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
-  ]
-}

From 6cab4c8a48c1fd5f2f85970c1419d46ca3b2e580 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 23 Apr 2024 07:25:40 -0400
Subject: [PATCH 106/298] updating terraform lock files

---
 tofu/README.md                                |  3 +-
 .../data-store/cache/.terraform.lock.hcl      | 43 +++++++++++++-----
 .../data-store/database/.terraform.lock.hcl   | 26 +++++------
 .../stage/network/vpc/.terraform.lock.hcl     | 44 +++++++++++++------
 .../backend-infra/.terraform.lock.hcl         | 26 +++++------
 .../services/frontend/.terraform.lock.hcl     | 43 +++++++++++++-----
 6 files changed, 121 insertions(+), 64 deletions(-)

diff --git a/tofu/README.md b/tofu/README.md
index fdf2be4ed..4739706ce 100644
--- a/tofu/README.md
+++ b/tofu/README.md
@@ -4,7 +4,8 @@ Code was written and tested with the following (these versions are enforced in c
 
 - OpenTofu v1.6.2
 - Terragrunt 0.55.15
-- hashicorp/aws v5.41.0
+- hashicorp/aws v5.46.0
+- hashicorp/random v3.6.1
 
 **Note:** All code should be run through Terragrunt, which will then execute the required Tofu commands
 
diff --git a/tofu/environments/stage/data-store/cache/.terraform.lock.hcl b/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
index b88b3b5eb..8d8208be0 100644
--- a/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
+++ b/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
@@ -2,18 +2,37 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version = "5.41.0"
+  version     = "5.46.0"
+  constraints = ">= 5.46.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version     = "3.6.1"
+  constraints = ">= 3.6.1"
+  hashes = [
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
   ]
 }
diff --git a/tofu/environments/stage/data-store/database/.terraform.lock.hcl b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
index 1e3000f45..c2397ac31 100644
--- a/tofu/environments/stage/data-store/database/.terraform.lock.hcl
+++ b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
-  constraints = ">= 5.36.0, 5.41.0"
+  version     = "5.46.0"
+  constraints = ">= 5.36.0, >= 5.46.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
   ]
 }
 
diff --git a/tofu/environments/stage/network/vpc/.terraform.lock.hcl b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
index c8048244a..fce9acaad 100644
--- a/tofu/environments/stage/network/vpc/.terraform.lock.hcl
+++ b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
@@ -2,19 +2,37 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
-  constraints = ">= 4.0.0, >= 5.30.0"
+  version     = "5.46.0"
+  constraints = ">= 4.0.0, >= 5.30.0, >= 5.46.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version     = "3.6.1"
+  constraints = ">= 3.6.1"
+  hashes = [
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
   ]
 }
diff --git a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
index 6deed94e4..8d87a3f64 100644
--- a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
-  constraints = ">= 4.66.1, >= 5.33.0, 5.41.0"
+  version     = "5.46.0"
+  constraints = ">= 4.66.1, >= 5.46.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
   ]
 }
 
diff --git a/tofu/environments/stage/services/frontend/.terraform.lock.hcl b/tofu/environments/stage/services/frontend/.terraform.lock.hcl
index b88b3b5eb..8d8208be0 100644
--- a/tofu/environments/stage/services/frontend/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/frontend/.terraform.lock.hcl
@@ -2,18 +2,37 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version = "5.41.0"
+  version     = "5.46.0"
+  constraints = ">= 5.46.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version     = "3.6.1"
+  constraints = ">= 3.6.1"
+  hashes = [
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
   ]
 }

From 587aaef738986c8d9d0ddc808628aea690865e0b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 23 Apr 2024 07:31:28 -0400
Subject: [PATCH 107/298] initial production test

---
 .../network/vpc/.terraform.lock.hcl           | 24 +++++------
 .../backend-infra/.terraform.lock.hcl         | 43 +++++++++++++------
 .../backend-service/.terraform.lock.hcl       | 19 ++++++++
 .../services/frontend/.terraform.lock.hcl     | 24 +++++------
 .../terraform/tfbackend/.terraform.lock.hcl   | 24 +++++------
 5 files changed, 85 insertions(+), 49 deletions(-)
 create mode 100644 tofu/environments/production/services/backend-service/.terraform.lock.hcl

diff --git a/tofu/environments/production/network/vpc/.terraform.lock.hcl b/tofu/environments/production/network/vpc/.terraform.lock.hcl
index c8048244a..14c6af9ab 100644
--- a/tofu/environments/production/network/vpc/.terraform.lock.hcl
+++ b/tofu/environments/production/network/vpc/.terraform.lock.hcl
@@ -2,19 +2,19 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
+  version     = "5.46.0"
   constraints = ">= 4.0.0, >= 5.30.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
   ]
 }
diff --git a/tofu/environments/production/services/backend-infra/.terraform.lock.hcl b/tofu/environments/production/services/backend-infra/.terraform.lock.hcl
index 16bf2d314..8d87a3f64 100644
--- a/tofu/environments/production/services/backend-infra/.terraform.lock.hcl
+++ b/tofu/environments/production/services/backend-infra/.terraform.lock.hcl
@@ -2,19 +2,36 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
-  constraints = ">= 4.66.1, >= 5.33.0"
+  version     = "5.46.0"
+  constraints = ">= 4.66.1, >= 5.46.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version = "3.6.1"
+  hashes = [
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
   ]
 }
diff --git a/tofu/environments/production/services/backend-service/.terraform.lock.hcl b/tofu/environments/production/services/backend-service/.terraform.lock.hcl
new file mode 100644
index 000000000..839b3300a
--- /dev/null
+++ b/tofu/environments/production/services/backend-service/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.46.0"
+  hashes = [
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+  ]
+}
diff --git a/tofu/environments/production/services/frontend/.terraform.lock.hcl b/tofu/environments/production/services/frontend/.terraform.lock.hcl
index b88b3b5eb..839b3300a 100644
--- a/tofu/environments/production/services/frontend/.terraform.lock.hcl
+++ b/tofu/environments/production/services/frontend/.terraform.lock.hcl
@@ -2,18 +2,18 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version = "5.41.0"
+  version = "5.46.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
   ]
 }
diff --git a/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl b/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
index b88b3b5eb..839b3300a 100644
--- a/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
+++ b/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
@@ -2,18 +2,18 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version = "5.41.0"
+  version = "5.46.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
   ]
 }

From c0bb00fd34316c41507356862fdbc5ed6e71ae5c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 6 May 2024 10:03:36 -0400
Subject: [PATCH 108/298] add github environments and production updates

---
 .github/workflows/apply-iac.yaml              |  86 ---------
 .github/workflows/ci-tests.yaml               |  53 -----
 .github/workflows/deploy-backend.yaml         |  84 --------
 .github/workflows/deploy-frontend.yaml        |  54 ------
 .github/workflows/deploy-production.yml       | 179 +++++++++++++++++
 .github/workflows/deploy-staging.yml          | 181 ++++++++++++++++++
 .github/workflows/primary.yaml                | 111 -----------
 .github/workflows/validate.yml                | 142 ++++++++++++++
 .github/workflows/verify-backend.yaml         |  74 -------
 .github/workflows/verify-iac.yaml             |  85 --------
 .../data-store/cache/.terraform.lock.hcl      |   0
 .../data-store/cache/terragrunt.hcl           |   0
 .../data-store/database/.terraform.lock.hcl   |   0
 .../data-store/database/terragrunt.hcl        |   0
 .../{production => prod}/environment.hcl      |   0
 .../environment_vars.yaml                     |   2 +-
 .../network/vpc/.terraform.lock.hcl           |   0
 .../network/vpc/terragrunt.hcl                |   0
 .../backend-infra/.terraform.lock.hcl         |   0
 .../services/backend-infra/terragrunt.hcl     |   2 +-
 .../backend-service/.terraform.lock.hcl       |   0
 .../services/backend-service/terragrunt.hcl   |  79 ++++++++
 .../services/frontend/.terraform.lock.hcl     |   0
 .../services/frontend/terragrunt.hcl          |   6 +-
 .../terraform/tfbackend/.terraform.lock.hcl   |   0
 .../terraform/tfbackend/terragrunt.hcl        |   0
 .../services/backend-service/terragrunt.hcl   |  56 ------
 .../data-store/database/.terraform.lock.hcl   |   2 +-
 .../stage/data-store/database/terragrunt.hcl  |   1 +
 .../stage/network/vpc/.terraform.lock.hcl     |  38 ----
 .../backend-infra/.terraform.lock.hcl         |   3 +-
 .../services/backend-service/terragrunt.hcl   |  23 +++
 .../stage/services/frontend/terragrunt.hcl    |   6 +-
 tofu/modules/data-store/database/main.tf      |  43 ++++-
 tofu/modules/data-store/database/outputs.tf   |   6 +
 tofu/modules/data-store/database/variables.tf |   6 +
 tofu/modules/services/backend-infra/main.tf   |  64 +++----
 .../modules/services/backend-infra/outputs.tf |   1 +
 .../services/backend-infra/variables.tf       |   6 +-
 tofu/modules/services/backend-service/main.tf |  30 +--
 .../services/backend-service/variables.tf     |  74 ++++++-
 tofu/modules/services/frontend/main.tf        |  36 ++--
 tofu/modules/services/frontend/variables.tf   |   2 +-
 43 files changed, 804 insertions(+), 731 deletions(-)
 delete mode 100644 .github/workflows/apply-iac.yaml
 delete mode 100644 .github/workflows/ci-tests.yaml
 delete mode 100644 .github/workflows/deploy-backend.yaml
 delete mode 100644 .github/workflows/deploy-frontend.yaml
 create mode 100644 .github/workflows/deploy-production.yml
 create mode 100644 .github/workflows/deploy-staging.yml
 delete mode 100644 .github/workflows/primary.yaml
 create mode 100644 .github/workflows/validate.yml
 delete mode 100644 .github/workflows/verify-backend.yaml
 delete mode 100644 .github/workflows/verify-iac.yaml
 rename tofu/environments/{production => prod}/data-store/cache/.terraform.lock.hcl (100%)
 rename tofu/environments/{production => prod}/data-store/cache/terragrunt.hcl (100%)
 rename tofu/environments/{production => prod}/data-store/database/.terraform.lock.hcl (100%)
 rename tofu/environments/{production => prod}/data-store/database/terragrunt.hcl (100%)
 rename tofu/environments/{production => prod}/environment.hcl (100%)
 rename tofu/environments/{production => prod}/environment_vars.yaml (51%)
 rename tofu/environments/{production => prod}/network/vpc/.terraform.lock.hcl (100%)
 rename tofu/environments/{production => prod}/network/vpc/terragrunt.hcl (100%)
 rename tofu/environments/{production => prod}/services/backend-infra/.terraform.lock.hcl (100%)
 rename tofu/environments/{production => prod}/services/backend-infra/terragrunt.hcl (96%)
 rename tofu/environments/{production => prod}/services/backend-service/.terraform.lock.hcl (100%)
 create mode 100644 tofu/environments/prod/services/backend-service/terragrunt.hcl
 rename tofu/environments/{production => prod}/services/frontend/.terraform.lock.hcl (100%)
 rename tofu/environments/{production => prod}/services/frontend/terragrunt.hcl (90%)
 rename tofu/environments/{production => prod}/terraform/tfbackend/.terraform.lock.hcl (100%)
 rename tofu/environments/{production => prod}/terraform/tfbackend/terragrunt.hcl (100%)
 delete mode 100644 tofu/environments/production/services/backend-service/terragrunt.hcl
 delete mode 100644 tofu/environments/stage/network/vpc/.terraform.lock.hcl

diff --git a/.github/workflows/apply-iac.yaml b/.github/workflows/apply-iac.yaml
deleted file mode 100644
index 14056124d..000000000
--- a/.github/workflows/apply-iac.yaml
+++ /dev/null
@@ -1,86 +0,0 @@
-name: apply-iac
-
-on: 
-  workflow_call:
-    inputs:
-      tf_version:
-        required: true
-        type: string
-      tg_version:
-        required: true
-        type: string
-      aws_region:
-        required: true
-        type: string
-      environment:
-        required: true
-        type: string
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  apply-iac:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{secrets.IAM_ROLE}}
-          role-session-name: GitHub_to_AWS_via_FederatedOIDC
-          aws-region: ${{inputs.aws_region}}
-
-      - name: install opentofu
-        uses: opentofu/setup-opentofu@v1
-        with: 
-          tofu_version: ${{inputs.tf_version}}
-          tofu_wrapper: false
-
-      - name: install terragrunt
-        run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
-          sudo chmod +x /bin/terragrunt
-          terragrunt -v
-
-      - name: vpc
-        working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-
-      - name: backend-infra
-        working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-
-      - name: cache
-        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-
-      - name: database
-        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-          
-      - name: frontend
-        working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
diff --git a/.github/workflows/ci-tests.yaml b/.github/workflows/ci-tests.yaml
deleted file mode 100644
index 29251fc31..000000000
--- a/.github/workflows/ci-tests.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
-# This workflow will install backend's requirements and run tests
-
-name: Run Tests
-
-on:
-  workflow_call:
-
-permissions:
-  contents: read
-
-jobs:
-  pytest:
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v4
-
-    - name: Set up Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: '3.11'
-        cache: 'pip'
-
-    - name: Install dependencies
-      run: |
-        cd ./backend
-        python -m pip install --upgrade pip
-        python -m pip install .'[test]'
-
-    - name: Test with pytest
-      run: |
-        cd ./backend && python -m pytest
-
-  vitest:
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v4
-
-    - uses: actions/setup-node@v4
-      with:
-        node-version: 18
-        cache: 'yarn'
-        cache-dependency-path: 'frontend/yarn.lock'
-
-    - name: Install dependencies
-      run: |
-        cd ./frontend
-        yarn install
-        
-    - name: Test with vitest
-      run: |
-        cd ./frontend && yarn test --run
diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
deleted file mode 100644
index d0c511d65..000000000
--- a/.github/workflows/deploy-backend.yaml
+++ /dev/null
@@ -1,84 +0,0 @@
-name: Deploy Backend
-
-# Stop any pending jobs
-concurrency:
-  group: backend
-  cancel-in-progress: true
-
-on:
-  workflow_call:
-    inputs:
-      tf_version:
-        required: true
-        type: string
-      tg_version:
-        required: true
-        type: string
-      aws_region:
-        required: true
-        type: string
-      environment:
-        required: true
-        type: string
-
-env:
-  ECR_REPOSITORY: appointment
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  deploy-backend:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{secrets.IAM_ROLE}}
-        role-session-name: GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{inputs.aws_region}}
-
-    - name: install opentofu
-      uses: opentofu/setup-opentofu@v1
-      with: 
-        tofu_version: ${{inputs.tf_version}}
-        tofu_wrapper: false
-
-    - name: install terragrunt
-      run: |
-        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
-        sudo chmod +x /bin/terragrunt
-        terragrunt -v
-
-    - name: Login to Amazon ECR
-      id: login-ecr
-      uses: aws-actions/amazon-ecr-login@v2
-      with:
-        mask-password: 'true'
-
-    - name: Build, tag, and push backend image to Amazon ECR
-      id: build-backend
-      env:
-        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        IMAGE_TAG: backend-${{ github.sha }}
-      run: |
-        # Build a docker container and
-        # push it to ECR so that it can
-        # be deployed to ECS.
-        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
-        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
-
-    - name: backend-service
-      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
-        terragrunt apply tfplan
-
diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
deleted file mode 100644
index fbe5db6fc..000000000
--- a/.github/workflows/deploy-frontend.yaml
+++ /dev/null
@@ -1,54 +0,0 @@
-name: Deploy Frontend
-
-# Stop any pending jobs
-concurrency:
-  group: frontend
-  cancel-in-progress: true
-
-on:
-  workflow_call:
-    inputs:
-      aws_region:
-        required: true
-        type: string
-      bucket:
-        required: true
-        type: string
-      build_environment:
-        required: true
-        type: string
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  deploy-frontend:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Setup NPM
-      uses: actions/setup-node@v4
-      with:
-        node-version: '18.x'
-
-    - name: Install dependencies
-      run: cd frontend && yarn install
-
-    - name: Build project
-      run: |
-        cp frontend/.env.${{inputs.build_environment}}.example frontend/.env.${{inputs.build_environment}}
-        cd frontend && yarn build --mode ${{inputs.build_environment}}
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{secrets.IAM_ROLE}}
-        role-session-name: GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{inputs.aws_region}}
-
-    - name: Deploy Frontend
-      run: aws s3 sync frontend/dist s3://${{inputs.bucket}} --delete
diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
new file mode 100644
index 000000000..1156cf9de
--- /dev/null
+++ b/.github/workflows/deploy-production.yml
@@ -0,0 +1,179 @@
+name: deploy-production
+
+concurrency:
+  group: deploy-production
+  cancel-in-progress: true
+
+on:
+  workflow_dispatch
+
+environment: production
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      deploy-iac: ${{ steps.check.outputs.deploy-iac }}
+      deploy-backend: ${{ steps.check.outputs.deploy-backend }}
+      deploy-frontend: ${{ steps.check.outputs.deploy-frontend }}
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: dorny/paths-filter@v3
+      id: check
+      with:
+        filters: |
+          deploy-iac:
+            - 'tofu/**'
+            - '.github/workflows/**'
+          deploy-backend:
+            - 'backend/**'
+            - 'tofu/modules/services/backend-service/**'
+            - 'tofu/environments/stage/services/backend-service/**'
+          deploy-frontend:
+            - 'frontend/**'
+
+  deploy-iac:
+    needs: detect-changes
+    runs-on: ubuntu-latest
+    if: needs.detect-changes.outputs.deploy-iac == 'true'
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.IAM_ROLE }}
+        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{ vars.AWS_REGION }}
+
+    - name: install opentofu
+      uses: opentofu/setup-opentofu@v1
+      with: 
+        tofu_version: ${{ vars.TF_VERSION }}
+        tofu_wrapper: false
+
+    - name: install terragrunt
+      run: |
+        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+        sudo chmod +x /bin/terragrunt
+        terragrunt -v
+
+    - name: vpc
+      working-directory: ./tofu/environments/stage/network/vpc
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -out tfplan
+        terragrunt apply tfplan
+
+    - name: backend-infra
+      working-directory: ./tofu/environments/stage/services/backend-infra
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -out tfplan
+        terragrunt apply tfplan
+
+    - name: cache
+      working-directory: ./tofu/environments/stage/data-store/cache
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -out tfplan
+        terragrunt apply tfplan
+
+    - name: database
+      working-directory: ./tofu/environments/stage/data-store/database
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -out tfplan
+        terragrunt apply tfplan
+        
+    - name: frontend
+      working-directory: ./tofu/environments/stage/services/frontend
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -out tfplan
+        terragrunt apply tfplan
+
+  deploy-frontend:
+    needs: detect-changes
+    runs-on: ubuntu-latest
+    if: needs.detect-changes.outputs.deploy-frontend == 'true'
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Setup NPM
+      uses: actions/setup-node@v4
+      with:
+        node-version: '18.x'
+
+    - name: Install dependencies
+      run: cd frontend && yarn install
+
+    - name: Build project
+      run: |
+        cp frontend/.env.${{ vars.APP_ENV }}.example frontend/.env.${{ vars.APP_ENV }}
+        cd frontend && yarn build --mode ${{ vars.APP_ENV }}
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.IAM_ROLE }}
+        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{ vars.AWS_REGION }}
+
+  deploy-backend:
+    needs: detect-changes
+    runs-on: ubuntu-latest
+    if: needs.detect-changes.outputs.deploy-backend == 'true'
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.IAM_ROLE }}
+        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{ vars.AWS_REGION }}
+
+    - name: install opentofu
+      uses: opentofu/setup-opentofu@v1
+      with: 
+        tofu_version: ${{ vars.TF_VERSION }}
+        tofu_wrapper: false
+
+    - name: install terragrunt
+      run: |
+        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+        sudo chmod +x /bin/terragrunt
+        terragrunt -v
+
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+      with:
+        mask-password: 'true'
+
+    - name: Build, tag, and push backend image to Amazon ECR
+      id: build-backend
+      env:
+        ECR_TAG: '${{ steps.login-ecr.outputs.registry }}/$${{ vars.PROJECT }}:backend-${{ github.sha }}'
+      run: |
+        # Build a docker container and
+        # push it to ECR so that it can
+        # be deployed to ECS.
+        docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
+        docker push $ECR_TAG
+        echo 'image_backend=$ECR_TAG' >> $GITHUB_OUTPUT
+
+    - name: backend-service
+      working-directory: ./tofu/environments/${{ inputs.environment }}/services/backend-service
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
+        terragrunt apply tfplan
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
new file mode 100644
index 000000000..3a084264a
--- /dev/null
+++ b/.github/workflows/deploy-staging.yml
@@ -0,0 +1,181 @@
+name: deploy-staging
+
+concurrency:
+  group: deploy-staging
+  cancel-in-progress: true
+
+on:
+  push:
+    branches:
+    - main
+
+environment: staging
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      deploy-iac: ${{ steps.check.outputs.deploy-iac }}
+      deploy-backend: ${{ steps.check.outputs.deploy-backend }}
+      deploy-frontend: ${{ steps.check.outputs.deploy-frontend }}
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: dorny/paths-filter@v3
+      id: check
+      with:
+        filters: |
+          deploy-iac:
+            - 'tofu/**'
+            - '.github/workflows/**'
+          deploy-backend:
+            - 'backend/**'
+            - 'tofu/modules/services/backend-service/**'
+            - 'tofu/environments/stage/services/backend-service/**'
+          deploy-frontend:
+            - 'frontend/**'
+
+  deploy-iac:
+    needs: detect-changes
+    runs-on: ubuntu-latest
+    if: needs.detect-changes.outputs.deploy-iac == 'true'
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.IAM_ROLE }}
+        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{ vars.AWS_REGION }}
+
+    - name: install opentofu
+      uses: opentofu/setup-opentofu@v1
+      with: 
+        tofu_version: ${{ vars.TF_VERSION }}
+        tofu_wrapper: false
+
+    - name: install terragrunt
+      run: |
+        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+        sudo chmod +x /bin/terragrunt
+        terragrunt -v
+
+    - name: vpc
+      working-directory: ./tofu/environments/stage/network/vpc
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -out tfplan
+        terragrunt apply tfplan
+
+    - name: backend-infra
+      working-directory: ./tofu/environments/stage/services/backend-infra
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -out tfplan
+        terragrunt apply tfplan
+
+    - name: cache
+      working-directory: ./tofu/environments/stage/data-store/cache
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -out tfplan
+        terragrunt apply tfplan
+
+    - name: database
+      working-directory: ./tofu/environments/stage/data-store/database
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -out tfplan
+        terragrunt apply tfplan
+        
+    - name: frontend
+      working-directory: ./tofu/environments/stage/services/frontend
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -out tfplan
+        terragrunt apply tfplan
+
+  deploy-frontend:
+    needs: detect-changes
+    runs-on: ubuntu-latest
+    if: needs.detect-changes.outputs.deploy-frontend == 'true'
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Setup NPM
+      uses: actions/setup-node@v4
+      with:
+        node-version: '18.x'
+
+    - name: Install dependencies
+      run: cd frontend && yarn install
+
+    - name: Build project
+      run: |
+        cp frontend/.env.${{ vars.APP_ENV }}.example frontend/.env.${{ vars.APP_ENV }}
+        cd frontend && yarn build --mode ${{ vars.APP_ENV }}
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.IAM_ROLE }}
+        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{ vars.AWS_REGION }}
+
+  deploy-backend:
+    needs: detect-changes
+    runs-on: ubuntu-latest
+    if: needs.detect-changes.outputs.deploy-backend == 'true'
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.IAM_ROLE }}
+        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{ vars.AWS_REGION }}
+
+    - name: install opentofu
+      uses: opentofu/setup-opentofu@v1
+      with: 
+        tofu_version: ${{ vars.TF_VERSION }}
+        tofu_wrapper: false
+
+    - name: install terragrunt
+      run: |
+        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+        sudo chmod +x /bin/terragrunt
+        terragrunt -v
+
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+      with:
+        mask-password: 'true'
+
+    - name: Build, tag, and push backend image to Amazon ECR
+      id: build-backend
+      env:
+        ECR_TAG: '${{ steps.login-ecr.outputs.registry }}/$${{ vars.PROJECT }}:backend-${{ github.sha }}'
+      run: |
+        # Build a docker container and
+        # push it to ECR so that it can
+        # be deployed to ECS.
+        docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
+        docker push $ECR_TAG
+        echo 'image_backend=$ECR_TAG >> $GITHUB_OUTPUT
+
+    - name: backend-service
+      working-directory: ./tofu/environments/${{ inputs.environment }}/services/backend-service
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
+        terragrunt apply tfplan
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
deleted file mode 100644
index aaa0a47f3..000000000
--- a/.github/workflows/primary.yaml
+++ /dev/null
@@ -1,111 +0,0 @@
-name: Primary Workflow
-
-concurrency:
-  group: iac
-  cancel-in-progress: true
-
-on:
-  push:
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  detect-changes:
-    runs-on: ubuntu-latest
-    outputs:
-      run-iac: ${{ steps.check.outputs.run-iac }}
-      run-backend: ${{ steps.check.outputs.run-backend }}
-      run-frontend: ${{ steps.check.outputs.run-frontend }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: dorny/paths-filter@v3
-        id: check
-        with:
-          filters: |
-            run-iac:
-              - 'tofu/**'
-              - '.github/workflows/**'
-            run-backend:
-              - 'backend/**'
-              - 'tofu/modules/services/backend-service/**'
-            run-frontend:
-              - 'frontend/**'
-
-  verify-iac:
-    needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage, production]
-    uses: ./.github/workflows/verify-iac.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  apply-iac:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage]
-    uses: ./.github/workflows/apply-iac.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  ci-tests:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
-    uses: ./.github/workflows/ci-tests.yaml
-
-  verify-backend:
-    needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage, production]
-    uses: ./.github/workflows/verify-backend.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  deploy-backend:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage]
-    uses: ./.github/workflows/deploy-backend.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  deploy-frontend:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
-    uses: ./.github/workflows/deploy-frontend.yaml
-    with:
-      aws_region: us-east-1
-      bucket: tb-apmt-stage-frontend
-      build_environment: staging
-    secrets: inherit
-
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
new file mode 100644
index 000000000..d784a8c12
--- /dev/null
+++ b/.github/workflows/validate.yml
@@ -0,0 +1,142 @@
+name: validate
+
+concurrency:
+  group: validate
+  cancel-in-progress: true
+
+on:
+  push:
+    branches:
+    - main
+
+environment: staging
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      validate-iac: ${{ steps.check.outputs.validate-iac }}
+      validate-backend: ${{ steps.check.outputs.validate-backend }}
+      validate-frontend: ${{ steps.check.outputs.validate-frontend }}
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: dorny/paths-filter@v3
+      id: check
+      with:
+        filters: |
+          validate-iac:
+            - 'tofu/**'
+            - '.github/workflows/**'
+          validate-backend:
+            - 'backend/**'
+            - 'tofu/modules/services/backend-service/**'
+            - 'tofu/environments/stage/services/backend-service/**'
+          validate-frontend:
+            - 'frontend/**'
+
+  validate-iac:
+    needs: detect-changes
+    runs-on: ubuntu-latest
+    if: needs.detect-changes.outputs.validate-iac == 'true'
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: install opentofu
+      uses: opentofu/setup-opentofu@v1
+      with: 
+        tofu_version: ${{ vars.TF_VERSION }}
+        tofu_wrapper: false
+
+    - name: install terragrunt
+      run: |
+        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+        sudo chmod +x /bin/terragrunt
+        terragrunt -v
+
+    - name: vpc
+      working-directory: ./tofu/environments/stage/network/vpc
+      continue-on-error: true
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+
+    - name: backend-infra
+      working-directory: ./tofu/environments/stage/services/backend-infra
+      continue-on-error: true
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+
+    - name: cache
+      working-directory: ./tofu/environments/stage/data-store/cache
+      continue-on-error: true
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+
+    - name: database
+      working-directory: ./tofu/environments/stage/data-store/database
+      continue-on-error: true
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+        
+    - name: frontend
+      working-directory: ./tofu/environments/stage/services/frontend
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+
+    - name: backend-service
+      working-directory: ./tofu/environments/stage/services/backend-service
+      continue-on-error: true
+      run: |
+        terragrunt init -upgrade
+        terragrunt validate
+
+  validate-backend:
+    needs: detect-changes
+    runs-on: ubuntu-latest
+    if: needs.detect-changes.outputs.validate-backend == 'true'
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Python
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.11'
+        cache: 'pip'
+
+    - name: Install dependencies
+      run: |
+        cd ./backend
+        python -m pip install --upgrade pip
+        python -m pip install .'[test]'
+
+    - name: Test with pytest
+      run: |
+        cd ./backend && python -m pytest
+  
+  validate-frontend:
+    needs: detect-changes
+    runs-on: ubuntu-latest
+    if: needs.detect-changes.outputs.validate-frontend == 'true'
+    steps:
+    - uses: actions/checkout@v4
+
+    - uses: actions/setup-node@v4
+      with:
+        node-version: 18
+        cache: 'yarn'
+        cache-dependency-path: 'frontend/yarn.lock'
+
+    - name: Install dependencies
+      run: |
+        cd ./frontend
+        yarn install
+        
+    - name: Test with vitest
+      run: |
+        cd ./frontend && yarn test --run
diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
deleted file mode 100644
index db05a4534..000000000
--- a/.github/workflows/verify-backend.yaml
+++ /dev/null
@@ -1,74 +0,0 @@
-name: Deploy Backend
-
-# Stop any pending jobs
-concurrency:
-  group: backend
-  cancel-in-progress: true
-
-on:
-  workflow_call:
-    inputs:
-      tf_version:
-        required: true
-        type: string
-      tg_version:
-        required: true
-        type: string
-      aws_region:
-        required: true
-        type: string
-      environment:
-        required: true
-        type: string
-
-env:
-  AWS_REGION: us-east-1
-  ECR_REPOSITORY: appointments
-  ECS_SERVICE: appointments-service
-  ECS_CLUSTER: appointments
-  IMAGE: dummyimagename
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  validate-backend:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{secrets.IAM_ROLE}}
-        role-session-name: GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{inputs.aws_region}}
-
-    - name: install opentofu
-      uses: opentofu/setup-opentofu@v1
-      with: 
-        tofu_version: ${{inputs.tf_version}}
-        tofu_wrapper: false
-
-    - name: install terragrunt
-      run: |
-        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
-        sudo chmod +x /bin/terragrunt
-        terragrunt -v
-
-    - name: Login to Amazon ECR
-      id: login-ecr
-      uses: aws-actions/amazon-ecr-login@v2
-      with:
-        mask-password: 'true'
-
-    - name: backend-service
-      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -var 'image=${{env.IMAGE}}'
-
diff --git a/.github/workflows/verify-iac.yaml b/.github/workflows/verify-iac.yaml
deleted file mode 100644
index 3ac7fa3f1..000000000
--- a/.github/workflows/verify-iac.yaml
+++ /dev/null
@@ -1,85 +0,0 @@
-name: verify-iac
-
-on: 
-  workflow_call:
-    inputs:
-      tf_version:
-        required: true
-        type: string
-      tg_version:
-        required: true
-        type: string
-      aws_region:
-        required: true
-        type: string
-      environment:
-        required: true
-        type: string
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  validate-iac:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{secrets.IAM_ROLE}}
-          role-session-name: GitHub_to_AWS_via_FederatedOIDC
-          aws-region: ${{inputs.aws_region}}
-
-      - name: install opentofu
-        uses: opentofu/setup-opentofu@v1
-        with: 
-          tofu_version: ${{inputs.tf_version}}
-          tofu_wrapper: false
-
-      - name: install terragrunt
-        run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
-          sudo chmod +x /bin/terragrunt
-          terragrunt -v
-
-      - name: vpc
-        working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
-        continue-on-error: true
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan
-
-      - name: backend-infra
-        working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
-        continue-on-error: true
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan
-
-      - name: cache
-        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
-        continue-on-error: true
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan
-
-      - name: database
-        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
-        continue-on-error: true
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan
-          
-      - name: frontend
-        working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan
diff --git a/tofu/environments/production/data-store/cache/.terraform.lock.hcl b/tofu/environments/prod/data-store/cache/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/production/data-store/cache/.terraform.lock.hcl
rename to tofu/environments/prod/data-store/cache/.terraform.lock.hcl
diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/prod/data-store/cache/terragrunt.hcl
similarity index 100%
rename from tofu/environments/production/data-store/cache/terragrunt.hcl
rename to tofu/environments/prod/data-store/cache/terragrunt.hcl
diff --git a/tofu/environments/production/data-store/database/.terraform.lock.hcl b/tofu/environments/prod/data-store/database/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/production/data-store/database/.terraform.lock.hcl
rename to tofu/environments/prod/data-store/database/.terraform.lock.hcl
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/prod/data-store/database/terragrunt.hcl
similarity index 100%
rename from tofu/environments/production/data-store/database/terragrunt.hcl
rename to tofu/environments/prod/data-store/database/terragrunt.hcl
diff --git a/tofu/environments/production/environment.hcl b/tofu/environments/prod/environment.hcl
similarity index 100%
rename from tofu/environments/production/environment.hcl
rename to tofu/environments/prod/environment.hcl
diff --git a/tofu/environments/production/environment_vars.yaml b/tofu/environments/prod/environment_vars.yaml
similarity index 51%
rename from tofu/environments/production/environment_vars.yaml
rename to tofu/environments/prod/environment_vars.yaml
index e415a0ef9..fb2734aec 100644
--- a/tofu/environments/production/environment_vars.yaml
+++ b/tofu/environments/prod/environment_vars.yaml
@@ -1,4 +1,4 @@
 ---
-environment: production
+environment: prod
 region: us-east-1
 ...
\ No newline at end of file
diff --git a/tofu/environments/production/network/vpc/.terraform.lock.hcl b/tofu/environments/prod/network/vpc/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/production/network/vpc/.terraform.lock.hcl
rename to tofu/environments/prod/network/vpc/.terraform.lock.hcl
diff --git a/tofu/environments/production/network/vpc/terragrunt.hcl b/tofu/environments/prod/network/vpc/terragrunt.hcl
similarity index 100%
rename from tofu/environments/production/network/vpc/terragrunt.hcl
rename to tofu/environments/prod/network/vpc/terragrunt.hcl
diff --git a/tofu/environments/production/services/backend-infra/.terraform.lock.hcl b/tofu/environments/prod/services/backend-infra/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/production/services/backend-infra/.terraform.lock.hcl
rename to tofu/environments/prod/services/backend-infra/.terraform.lock.hcl
diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/prod/services/backend-infra/terragrunt.hcl
similarity index 96%
rename from tofu/environments/production/services/backend-infra/terragrunt.hcl
rename to tofu/environments/prod/services/backend-infra/terragrunt.hcl
index 93beded47..a3db7f744 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/prod/services/backend-infra/terragrunt.hcl
@@ -42,7 +42,7 @@ inputs = {
   name_prefix                     = local.name_prefix
   region                          = local.region
   vpc                             = dependency.vpc.outputs.vpc_id
-  subnets                         = dependency.vpc.outputs.private_subnets
+  subnets                         = dependency.vpc.outputs.public_subnets
   ecr_endpoint_security_group     = dependency.vpc.outputs.ecr_endpoint_security_group
   secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
   logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
diff --git a/tofu/environments/production/services/backend-service/.terraform.lock.hcl b/tofu/environments/prod/services/backend-service/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/production/services/backend-service/.terraform.lock.hcl
rename to tofu/environments/prod/services/backend-service/.terraform.lock.hcl
diff --git a/tofu/environments/prod/services/backend-service/terragrunt.hcl b/tofu/environments/prod/services/backend-service/terragrunt.hcl
new file mode 100644
index 000000000..a60e54cad
--- /dev/null
+++ b/tofu/environments/prod/services/backend-service/terragrunt.hcl
@@ -0,0 +1,79 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "env" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/backend-service"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
+  mock_outputs = {
+    private_subnets    = ["subnet-mocksubnet1234567"]
+    ecs_execution_role = "arn:aws:iam::768512802988:role/mockrolearn"
+  }
+}
+
+dependency "backend-infra" {
+  config_path = "../backend-infra"
+
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
+  mock_outputs = {
+    target_group_arn  = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
+    log_group         = "MOCK_LOGS"
+    cluster_id        = "MOCK_CLUSTER_ID"
+    security_group_id = "MOCK_SG"
+  }
+}
+
+dependency "database" {
+  config_path = "../../data-store/database"
+
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
+  mock_outputs = {
+    db_secret = "arn:aws:secretsmanager:us-east-1:768512802988:secret:mocksecretarn"
+  }
+}
+
+locals {
+  project          = include.root.locals.project
+  environment      = include.env.locals.environment
+  short_name       = include.root.locals.short_name
+  name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
+  region           = include.env.locals.region
+  project_tags     = include.root.locals.tags
+  environment_tags = include.env.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  name_prefix         = local.name_prefix
+  region              = local.region
+  subnets             = dependency.vpc.outputs.private_subnets
+  log_group           = dependency.backend-infra.outputs.log_group
+  target_group_arn    = dependency.backend-infra.outputs.target_group_arn
+  security_group      = dependency.backend-infra.outputs.security_group_id
+  ecs_cluster         = dependency.backend-infra.outputs.cluster_id
+  task_execution_role = dependency.vpc.outputs.ecs_execution_role
+  frontend_url        = "https://${local.project}.day"
+  short_base_url      = "https://${local.short_name}.day"
+  app_env             = local.environment
+  sentry_dsn          = "https://5dddca3ecc964284bb8008bc2beef808@o4505428107853824.ingest.sentry.io/4505428124827648"
+  zoom_auth_callback  = "https://${local.project}.day/api/v1/zoom/callback"
+  short_name          = local.short_name
+  database_secret     = dependency.database.outputs.db_secret
+  db_enc_secret       = "arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-production-db-secret-xcaWVh"
+  smtp_secret         = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
+  google_oauth_secret = "arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-production-google-cal-oauth-8x5LUO"
+  zoom_secret         = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
+  fxa_secret          = "arn:aws:secretsmanager:us-east-1:768512802988:secret:prod/appointment/fxa-lRA3qx"
+  tags                = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/services/frontend/.terraform.lock.hcl b/tofu/environments/prod/services/frontend/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/production/services/frontend/.terraform.lock.hcl
rename to tofu/environments/prod/services/frontend/.terraform.lock.hcl
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/prod/services/frontend/terragrunt.hcl
similarity index 90%
rename from tofu/environments/production/services/frontend/terragrunt.hcl
rename to tofu/environments/prod/services/frontend/terragrunt.hcl
index e08624e9c..b03265193 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/prod/services/frontend/terragrunt.hcl
@@ -17,8 +17,8 @@ dependency "backend" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
-    alb_id   = "mock_alb_id"
-    dns_name = "mock_dns_name"
+    alb_id         = "mock_alb_id"
+    dns_name       = "mock_dns_name"
     x_allow_secret = "mock_secret"
   }
 }
@@ -44,5 +44,5 @@ inputs = {
   ssl_cert         = local.ssl_cert
   backend_id       = dependency.backend.outputs.alb_id
   backend_dns_name = dependency.backend.outputs.dns_name
-  x_allow_secret = dependency.backend.outputs.x_allow_secret
+  x_allow_secret   = dependency.backend.outputs.x_allow_secret
 }
\ No newline at end of file
diff --git a/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl b/tofu/environments/prod/terraform/tfbackend/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
rename to tofu/environments/prod/terraform/tfbackend/.terraform.lock.hcl
diff --git a/tofu/environments/production/terraform/tfbackend/terragrunt.hcl b/tofu/environments/prod/terraform/tfbackend/terragrunt.hcl
similarity index 100%
rename from tofu/environments/production/terraform/tfbackend/terragrunt.hcl
rename to tofu/environments/prod/terraform/tfbackend/terragrunt.hcl
diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
deleted file mode 100644
index 9db40c45d..000000000
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ /dev/null
@@ -1,56 +0,0 @@
-include "root" {
-  path   = find_in_parent_folders()
-  expose = true
-}
-
-include "env" {
-  path   = find_in_parent_folders("environment.hcl")
-  expose = true
-}
-
-terraform {
-  source = "../../../../modules/services/backend-service"
-}
-
-dependency "vpc" {
-  config_path = "../../network/vpc"
-
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
-  mock_outputs = {
-    private_subnets = ["subnet-mocksubnet1234567"]
-    ecs_execution_role = "arn:aws:iam::768512802988:role/mockrolearn"
-  }
-}
-
-dependency "backend-infra" {
-  config_path = "../backend-infra"
-
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
-  mock_outputs = {
-    target_group_arn  = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
-    log_group         = "MOCK_LOGS"
-    cluster_id        = "MOCK_CLUSTER_ID"
-    security_group_id = "MOCK_SG"
-  }
-}
-
-locals {
-  environment      = include.env.locals.environment
-  name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
-  region           = include.env.locals.region
-  project_tags     = include.root.locals.tags
-  environment_tags = include.env.locals.tags
-  tags             = "${merge(local.project_tags, local.environment_tags)}"
-}
-
-inputs = {
-  name_prefix      = local.name_prefix
-  region           = local.region
-  subnets          = dependency.vpc.outputs.private_subnets
-  log_group        = dependency.backend-infra.outputs.log_group
-  target_group_arn = dependency.backend-infra.outputs.target_group_arn
-  security_group   = dependency.backend-infra.outputs.security_group_id
-  ecs_cluster      = dependency.backend-infra.outputs.cluster_id
-  task_execution_role = dependency.vpc.outputs.ecs_execution_role
-  tags             = local.tags
-}
\ No newline at end of file
diff --git a/tofu/environments/stage/data-store/database/.terraform.lock.hcl b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
index c2397ac31..a0ce2ccea 100644
--- a/tofu/environments/stage/data-store/database/.terraform.lock.hcl
+++ b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
@@ -21,7 +21,7 @@ provider "registry.opentofu.org/hashicorp/aws" {
 
 provider "registry.opentofu.org/hashicorp/random" {
   version     = "3.6.1"
-  constraints = ">= 3.1.0"
+  constraints = ">= 3.1.0, >= 3.6.1"
   hashes = [
     "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
     "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
diff --git a/tofu/environments/stage/data-store/database/terragrunt.hcl b/tofu/environments/stage/data-store/database/terragrunt.hcl
index 2a11075fe..5375f95df 100644
--- a/tofu/environments/stage/data-store/database/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/database/terragrunt.hcl
@@ -59,5 +59,6 @@ inputs = {
   subnet_group               = dependency.vpc.outputs.database_subnet_group
   elasticache_security_group = dependency.cache.outputs.security_group_id
   backend_security_group     = dependency.backend.outputs.security_group_id
+  database_secret            = "arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-stage-db-secret-V0syHj"
   tags                       = local.tags
 }
\ No newline at end of file
diff --git a/tofu/environments/stage/network/vpc/.terraform.lock.hcl b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
deleted file mode 100644
index fce9acaad..000000000
--- a/tofu/environments/stage/network/vpc/.terraform.lock.hcl
+++ /dev/null
@@ -1,38 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.46.0"
-  constraints = ">= 4.0.0, >= 5.30.0, >= 5.46.0"
-  hashes = [
-    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
-    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
-    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
-    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
-    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
-    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
-    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
-    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
-    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
-    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
-    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
-  ]
-}
-
-provider "registry.opentofu.org/hashicorp/random" {
-  version     = "3.6.1"
-  constraints = ">= 3.6.1"
-  hashes = [
-    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
-    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
-    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
-    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
-    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
-    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
-    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
-    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
-    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
-    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
-    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
-  ]
-}
diff --git a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
index 8d87a3f64..f68202b57 100644
--- a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
@@ -20,7 +20,8 @@ provider "registry.opentofu.org/hashicorp/aws" {
 }
 
 provider "registry.opentofu.org/hashicorp/random" {
-  version = "3.6.1"
+  version     = "3.6.1"
+  constraints = ">= 3.6.1"
   hashes = [
     "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
     "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index 196527cc9..39d7ee0a0 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -34,8 +34,19 @@ dependency "backend-infra" {
   }
 }
 
+dependency "database" {
+  config_path = "../../data-store/database"
+
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
+  mock_outputs = {
+    db_secret = "arn:aws:secretsmanager:us-east-1:768512802988:secret:mocksecretarn"
+  }
+}
+
 locals {
+  project          = include.root.locals.project
   environment      = include.env.locals.environment
+  short_name       = include.root.locals.short_name
   name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
   region           = include.env.locals.region
   project_tags     = include.root.locals.tags
@@ -52,5 +63,17 @@ inputs = {
   security_group      = dependency.backend-infra.outputs.security_group_id
   ecs_cluster         = dependency.backend-infra.outputs.cluster_id
   task_execution_role = dependency.vpc.outputs.ecs_execution_role
+  frontend_url        = "https://${local.environment}.${local.project}.day"
+  short_base_url      = "https://${local.environment}.${local.short_name}.day"
+  app_env             = local.environment
+  sentry_dsn          = "https://5dddca3ecc964284bb8008bc2beef808@o4505428107853824.ingest.sentry.io/4505428124827648"
+  zoom_auth_callback  = "https://${local.environment}.${local.project}.day/api/v1/zoom/callback"
+  short_name          = local.short_name
+  database_secret     = dependency.database.outputs.db_secret
+  db_enc_secret       = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-secret-CYKglI"
+  smtp_secret         = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
+  google_oauth_secret = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/google-cal-oauth-VevaSo"
+  zoom_secret         = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
+  fxa_secret          = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/fxa-fxa-7koQF0"
   tags                = local.tags
 }
\ No newline at end of file
diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
index e08624e9c..b03265193 100644
--- a/tofu/environments/stage/services/frontend/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -17,8 +17,8 @@ dependency "backend" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
-    alb_id   = "mock_alb_id"
-    dns_name = "mock_dns_name"
+    alb_id         = "mock_alb_id"
+    dns_name       = "mock_dns_name"
     x_allow_secret = "mock_secret"
   }
 }
@@ -44,5 +44,5 @@ inputs = {
   ssl_cert         = local.ssl_cert
   backend_id       = dependency.backend.outputs.alb_id
   backend_dns_name = dependency.backend.outputs.dns_name
-  x_allow_secret = dependency.backend.outputs.x_allow_secret
+  x_allow_secret   = dependency.backend.outputs.x_allow_secret
 }
\ No newline at end of file
diff --git a/tofu/modules/data-store/database/main.tf b/tofu/modules/data-store/database/main.tf
index ba8589f9c..e3b1cc37e 100644
--- a/tofu/modules/data-store/database/main.tf
+++ b/tofu/modules/data-store/database/main.tf
@@ -1,8 +1,8 @@
-data "aws_secretsmanager_secret" "db_secrets" {
-  arn = "arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-stage-db-secret-V0syHj"
-}
-data "aws_secretsmanager_secret_version" "current" {
-  secret_id = data.aws_secretsmanager_secret.db_secrets.id
+locals {
+  username = replace("${var.name_prefix}_user", "-", "_")
+  secret = {
+    
+  }
 }
 
 module "db" {
@@ -16,8 +16,8 @@ module "db" {
   allocated_storage = 20
 
   db_name                     = "appointment"
-  username                    = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["username"]
-  password                    = jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["password"]
+  username                    = local.username //jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["username"]
+  password                    = random_password.db_password.result //jsondecode(data.aws_secretsmanager_secret_version.current.secret_string)["password"]
   manage_master_user_password = false
   port                        = "3306"
 
@@ -77,4 +77,33 @@ resource "aws_vpc_security_group_ingress_rule" "allow_mysql_from_backend" {
   to_port                      = 3306
   ip_protocol                  = "tcp"
   referenced_security_group_id = var.backend_security_group
+}
+
+resource "aws_secretsmanager_secret" "db_secret" {
+  name = "${var.name_prefix}-db"
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-db"
+  })
+}
+
+resource "aws_secretsmanager_secret_version" "db_secret_values" {
+  secret_id = aws_secretsmanager_secret.db_secret.id
+  secret_string = <<EOF
+{
+  "engine": "mysql",
+  "username": "${local.username}",
+  "password": "${random_password.db_password.result}",
+  "host": "${module.db.db_instance_endpoint}",
+  "dbname": "appointment",
+  "port": "3306"
+}
+EOF
+}
+
+resource "random_password" "db_password" {
+  length  = 32
+  lower   = true
+  numeric = true
+  special = true
+  upper   = true
 }
\ No newline at end of file
diff --git a/tofu/modules/data-store/database/outputs.tf b/tofu/modules/data-store/database/outputs.tf
index 67e733aca..fdcab309b 100644
--- a/tofu/modules/data-store/database/outputs.tf
+++ b/tofu/modules/data-store/database/outputs.tf
@@ -6,4 +6,10 @@ output "db_instance_endpoint" {
 output "security_group" {
   description = "Database security group"
   value       = aws_security_group.rds.id
+}
+
+output "db_secret" {
+  description = "Database Secret"
+  value = aws_secretsmanager_secret_version.db_secret_values.arn
+  sensitive = true
 }
\ No newline at end of file
diff --git a/tofu/modules/data-store/database/variables.tf b/tofu/modules/data-store/database/variables.tf
index c2a21778c..0ea357812 100644
--- a/tofu/modules/data-store/database/variables.tf
+++ b/tofu/modules/data-store/database/variables.tf
@@ -38,4 +38,10 @@ variable "backend_security_group" {
   description = "Backend security group"
   type        = string
   default     = ""
+}
+
+variable "database_secret" {
+  description = "Database secret"
+  type        = string
+  default     = ""
 }
\ No newline at end of file
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 5c4597f7b..5a46570e5 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -13,19 +13,19 @@ locals {
 }
 
 resource "random_string" "x_allow_value" {
-  length = 128
-  lower = true
+  length  = 128
+  lower   = true
   numeric = true
   special = true
-  upper = true
+  upper   = true
 }
 
 resource "random_string" "x_allow_suffix" {
-  length = 8
-  lower = true
+  length  = 8
+  lower   = true
   numeric = false
   special = false
-  upper = true
+  upper   = true
 }
 
 resource "aws_secretsmanager_secret" "x_allow_secret" {
@@ -33,7 +33,7 @@ resource "aws_secretsmanager_secret" "x_allow_secret" {
 }
 
 resource "aws_secretsmanager_secret_version" "x_allow_secret_version" {
-  secret_id = aws_secretsmanager_secret.x_allow_secret.name
+  secret_id     = aws_secretsmanager_secret.x_allow_secret.name
   secret_string = random_string.x_allow_value.result
 }
 
@@ -69,16 +69,16 @@ module "backend_alb" {
 
   security_group_ingress_rules = {
     inbound_5000 = {
-      from_port                    = 5000
-      to_port                      = 5000
-      ip_protocol                  = "tcp"
+      from_port      = 5000
+      to_port        = 5000
+      ip_protocol    = "tcp"
       prefix_list_id = data.aws_ec2_managed_prefix_list.cloudfront.id
     },
     inbound_80 = {
-      from_port                    = 80
-      to_port                      = 80
-      ip_protocol                  = "tcp"
-      cidr_ipv4 = "0.0.0.0/0"
+      from_port   = 80
+      to_port     = 80
+      ip_protocol = "tcp"
+      cidr_ipv4   = "0.0.0.0/0"
     }
   }
 
@@ -94,20 +94,20 @@ module "backend_alb" {
   listeners = {
 
     https = {
-      port     = 5000
-      protocol = "HTTPS"
+      port            = 5000
+      protocol        = "HTTPS"
       certificate_arn = var.ssl_cert
       fixed_response = {
         content_type = "text/plain"
         message_body = ""
-        status_code = 503
+        status_code  = 503
       }
 
       rules = {
         custom-header = {
           actions = [{
             type             = "forward"
-            target_group_key = local.target_group_key 
+            target_group_key = local.target_group_key
           }]
           conditions = [{
             http_header = {
@@ -119,15 +119,15 @@ module "backend_alb" {
       }
     },
     shortlink = {
-      port = 80
+      port     = 80
       protocol = "HTTP"
 
       redirect = {
         status_code = "HTTP_302"
-        host = "${var.environment}.appointment.day"
-        path = "/user/#{path}"
-        port = 443
-        protocol = "HTTPS"
+        host        = "${var.environment}.appointment.day"
+        path        = "/user/#{path}"
+        port        = 443
+        protocol    = "HTTPS"
       }
     }
   }
@@ -185,13 +185,13 @@ resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_backend_alb" {
 }
 
 resource "aws_vpc_security_group_egress_rule" "allow_mysql_to_DB_subnets" {
-  for_each = toset(var.database_subnet_cidrs)
-  security_group_id            = aws_security_group.backend.id
-  description                  = "mysql to DB"
-  from_port                    = 3306
-  to_port                      = 3306
-  ip_protocol                  = "tcp"
-  cidr_ipv4 = each.value
+  for_each          = toset(var.database_subnet_cidrs)
+  security_group_id = aws_security_group.backend.id
+  description       = "mysql to DB"
+  from_port         = 3306
+  to_port           = 3306
+  ip_protocol       = "tcp"
+  cidr_ipv4         = each.value
 }
 
 resource "aws_vpc_security_group_egress_rule" "allow_tls_to_ecr_endpoints" {
@@ -236,7 +236,7 @@ resource "aws_vpc_security_group_egress_rule" "allow_tls_to_all" {
   from_port         = 443
   to_port           = 443
   ip_protocol       = "tcp"
-  cidr_ipv4 = "0.0.0.0/0"
+  cidr_ipv4         = "0.0.0.0/0"
 }
 
 resource "aws_vpc_security_group_egress_rule" "allow_smtp_to_all" {
@@ -245,5 +245,5 @@ resource "aws_vpc_security_group_egress_rule" "allow_smtp_to_all" {
   from_port         = 587
   to_port           = 587
   ip_protocol       = "tcp"
-  cidr_ipv4 = "0.0.0.0/0"
+  cidr_ipv4         = "0.0.0.0/0"
 }
\ No newline at end of file
diff --git a/tofu/modules/services/backend-infra/outputs.tf b/tofu/modules/services/backend-infra/outputs.tf
index ccd04ad0d..7975f80ef 100644
--- a/tofu/modules/services/backend-infra/outputs.tf
+++ b/tofu/modules/services/backend-infra/outputs.tf
@@ -28,4 +28,5 @@ output "cluster_id" {
 
 output "x_allow_secret" {
   value = aws_secretsmanager_secret.x_allow_secret.name
+  sensitive = true
 }
\ No newline at end of file
diff --git a/tofu/modules/services/backend-infra/variables.tf b/tofu/modules/services/backend-infra/variables.tf
index 26c1c97cc..b1b07c585 100644
--- a/tofu/modules/services/backend-infra/variables.tf
+++ b/tofu/modules/services/backend-infra/variables.tf
@@ -45,13 +45,13 @@ variable "logs_endpoint_security_group" {
 
 variable "database_subnet_cidrs" {
   description = "Database subnet CIDRs"
-  type        = list
+  type        = list(any)
 }
 
 variable "backend_image" {
   description = "Backend image ECR URI"
-  type = string
-  default = "public.ecr.aws/amazonlinux/amazonlinux:minimal"
+  type        = string
+  default     = "public.ecr.aws/amazonlinux/amazonlinux:minimal"
 }
 
 variable "ssl_cert" {
diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index d10fe128a..adb46ed6f 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -16,9 +16,9 @@ resource "aws_ecs_service" "backend_service" {
   }
 
   health_check_grace_period_seconds = 180
-  task_definition = aws_ecs_task_definition.backend.arn
-  desired_count   = 1
-  tags            = var.tags
+  task_definition                   = aws_ecs_task_definition.backend.arn
+  desired_count                     = 1
+  tags                              = var.tags
 }
 
 resource "aws_ecs_task_definition" "backend" {
@@ -48,11 +48,11 @@ resource "aws_ecs_task_definition" "backend" {
       environment = [
         {
           "name" : "FRONTEND_URL",
-          "value" : "https://stage.appointment.day"
+          "value" : var.frontend_url
         },
         {
           "name" : "SHORT_BASE_URL",
-          "value" : "https://stage.apmt.day"
+          "value" : var.short_base_url
         },
         {
           "name" : "TIER_BASIC_CALENDAR_LIMIT",
@@ -76,11 +76,11 @@ resource "aws_ecs_task_definition" "backend" {
         },
         {
           "name" : "APP_ENV",
-          "value" : "stage"
+          "value" : var.app_env
         },
         {
           "name" : "SENTRY_DSN",
-          "value" : "https://5dddca3ecc964284bb8008bc2beef808@o4505428107853824.ingest.sentry.io/4505428124827648"
+          "value" : var.sentry_dsn
         },
         {
           "name" : "ZOOM_API_ENABLED",
@@ -88,7 +88,7 @@ resource "aws_ecs_task_definition" "backend" {
         },
         {
           "name" : "ZOOM_AUTH_CALLBACK",
-          "value" : "https://stage.appointment.day/api/v1/zoom/callback"
+          "value" : var.zoom_auth_callback
         },
         {
           "name" : "SERVICE_EMAIL",
@@ -110,27 +110,27 @@ resource "aws_ecs_task_definition" "backend" {
       secrets = [
         {
           "name" : "DATABASE_SECRETS",
-          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-stage-db-secret-V0syHj"
+          "valueFrom" : var.database_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-stage-db-secret-V0syHj"
         },
         {
           "name" : "DB_ENC_SECRET",
-          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-secret-CYKglI"
+          "valueFrom" : var.db_enc_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-secret-CYKglI"
         },
         {
           "name" : "SMTP_SECRETS",
-          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
+          "valueFrom" : var.smtp_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
         },
         {
           "name" : "GOOGLE_OAUTH_SECRETS",
-          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/google-cal-oauth-VevaSo"
+          "valueFrom" : var.google_oauth_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/google-cal-oauth-VevaSo"
         },
         {
           "name" : "ZOOM_SECRETS",
-          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
+          "valueFrom" : var.zoom_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
         },
         {
           "name" : "FXA_SECRETS",
-          "valueFrom" : "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/fxa-7koQF0"
+          "valueFrom" : var.fxa_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/fxa-7koQF0"
         }
       ],
       logConfiguration = {
@@ -138,7 +138,7 @@ resource "aws_ecs_task_definition" "backend" {
         options = {
           awslogs-group         = var.log_group
           awslogs-region        = var.region
-          awslogs-stream-prefix = "apmt"
+          awslogs-stream-prefix = "${var.short_name}/${var.app_env}"
         }
       }
     }
diff --git a/tofu/modules/services/backend-service/variables.tf b/tofu/modules/services/backend-service/variables.tf
index cf42aec36..6d9054ab3 100644
--- a/tofu/modules/services/backend-service/variables.tf
+++ b/tofu/modules/services/backend-service/variables.tf
@@ -3,6 +3,11 @@ variable "name_prefix" {
   type        = string
 }
 
+variable "short_name" {
+  description = "Application short name"
+  type        = string
+}
+
 variable "subnets" {
   description = "Backend subnets"
   type        = list(any)
@@ -30,20 +35,81 @@ variable "target_group_arn" {
 
 variable "ecs_cluster" {
   description = "Backend ECS cluster id"
-  type = string
+  type        = string
 }
 
 variable "security_group" {
   description = "Backend security group"
-  type = string
+  type        = string
 }
 
 variable "image" {
   description = "Backend Docker image"
-  type = string
+  type        = string
 }
 
 variable "task_execution_role" {
   description = "ECS task execution role"
-  type = string
+  type        = string
+}
+
+variable "frontend_url" {
+  description = "Frontend URL"
+  type        = string
+}
+
+variable "short_base_url" {
+  description = "Short base URL"
+  type        = string
+}
+
+variable "app_env" {
+  description = "Application environment (dev, stage, etc...)"
+  type        = string
+}
+
+variable "sentry_dsn" {
+  description = "Sentry DSN"
+  type        = string
+}
+
+variable "zoom_auth_callback" {
+  description = "Zoom authorization callback"
+  type        = string
+}
+
+variable "database_secret" {
+  description = "Database secret ARN"
+  type        = string
+  sensitive = true
+}
+
+variable "db_enc_secret" {
+  description = "DB encryped secret ARN"
+  type        = string
+  sensitive = true
+}
+
+variable "smtp_secret" {
+  description = "smtp connection info"
+  type        = string
+  sensitive = true
+}
+
+variable "google_oauth_secret" {
+  description = "Google OAUTH secret ARN"
+  type        = string
+  sensitive = true
+}
+
+variable "zoom_secret" {
+  description = "Zoom secret ARN"
+  type        = string
+  sensitive = true
+}
+
+variable "fxa_secret" {
+  description = "FXA secret ARN"
+  type        = string
+  sensitive = true
 }
\ No newline at end of file
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index a4d61dea3..347254dcb 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -1,6 +1,6 @@
 # S3 Bucket
 locals {
-  bucket = "${var.name_prefix}-frontend"
+  bucket     = "${var.name_prefix}-frontend"
   log_bucket = "${var.name_prefix}-frontend-logs"
 }
 
@@ -78,21 +78,21 @@ data "aws_cloudfront_cache_policy" "CachingOptimized" {
 
 data "aws_cloudfront_origin_request_policy" "AllViewer" {
   name = "Managed-AllViewer"
-} 
+}
 
 data "aws_secretsmanager_secret_version" "x_allow_value" {
   secret_id = var.x_allow_secret
 }
 
 resource "aws_cloudfront_distribution" "appointment" {
-  comment             = "appointment ${var.environment} frontend"
-  enabled             = true
+  comment = "appointment ${var.environment} frontend"
+  enabled = true
   //default_root_object = "index.html"
 
   aliases = ["${var.environment}.appointment.day"]
 
   logging_config {
-    bucket = "${aws_s3_bucket.request_logs.id}.s3.amazonaws.com"
+    bucket          = "${aws_s3_bucket.request_logs.id}.s3.amazonaws.com"
     include_cookies = true
   }
 
@@ -128,7 +128,7 @@ resource "aws_cloudfront_distribution" "appointment" {
     cache_policy_id = data.aws_cloudfront_cache_policy.CachingOptimized.id
 
     function_association {
-      event_type = "viewer-request"
+      event_type   = "viewer-request"
       function_arn = aws_cloudfront_function.rewrite_api.arn
     }
 
@@ -141,11 +141,11 @@ resource "aws_cloudfront_distribution" "appointment" {
     cached_methods   = ["GET", "HEAD", "OPTIONS"]
     target_origin_id = var.backend_id
 
-    cache_policy_id = data.aws_cloudfront_cache_policy.CachingDisabled.id
+    cache_policy_id          = data.aws_cloudfront_cache_policy.CachingDisabled.id
     origin_request_policy_id = data.aws_cloudfront_origin_request_policy.AllViewer.id
 
     function_association {
-      event_type = "viewer-request"
+      event_type   = "viewer-request"
       function_arn = aws_cloudfront_function.rewrite_api.arn
     }
 
@@ -159,11 +159,11 @@ resource "aws_cloudfront_distribution" "appointment" {
     cached_methods   = ["GET", "HEAD", "OPTIONS"]
     target_origin_id = var.backend_id
 
-    cache_policy_id = data.aws_cloudfront_cache_policy.CachingDisabled.id
+    cache_policy_id          = data.aws_cloudfront_cache_policy.CachingDisabled.id
     origin_request_policy_id = data.aws_cloudfront_origin_request_policy.AllViewer.id
 
     function_association {
-      event_type = "viewer-request"
+      event_type   = "viewer-request"
       function_arn = aws_cloudfront_function.rewrite_api.arn
     }
 
@@ -178,10 +178,10 @@ resource "aws_cloudfront_distribution" "appointment" {
   }
 
   viewer_certificate {
-    acm_certificate_arn = var.ssl_cert
+    acm_certificate_arn            = var.ssl_cert
     cloudfront_default_certificate = false
-    ssl_support_method  = "sni-only"
-    minimum_protocol_version = "TLSv1.2_2021"
+    ssl_support_method             = "sni-only"
+    minimum_protocol_version       = "TLSv1.2_2021"
   }
 }
 
@@ -193,9 +193,9 @@ resource "aws_cloudfront_origin_access_control" "oac" {
 }
 
 resource "aws_cloudfront_function" "rewrite_api" {
-  name = "${var.name_prefix}-rewrite-api"
+  name    = "${var.name_prefix}-rewrite-api"
   runtime = "cloudfront-js-2.0"
-  code = <<EOT
+  code    = <<EOT
   async function handler(event) {
     const request = event.request;
     const apiPath = "/api/v1";
@@ -217,7 +217,7 @@ resource "aws_cloudfront_function" "rewrite_api" {
 }
 
 resource "aws_s3_bucket" "request_logs" {
-  bucket = local.log_bucket
+  bucket        = local.log_bucket
   force_destroy = true
 
   tags = merge(var.tags, {
@@ -259,6 +259,6 @@ resource "aws_s3_bucket_ownership_controls" "request_logs" {
 
 resource "aws_s3_bucket_acl" "request_logs" {
   depends_on = [aws_s3_bucket_ownership_controls.request_logs]
-  bucket = aws_s3_bucket.request_logs.id
-  acl = "private"
+  bucket     = aws_s3_bucket.request_logs.id
+  acl        = "private"
 }
\ No newline at end of file
diff --git a/tofu/modules/services/frontend/variables.tf b/tofu/modules/services/frontend/variables.tf
index 7615aaf3d..3f218240f 100644
--- a/tofu/modules/services/frontend/variables.tf
+++ b/tofu/modules/services/frontend/variables.tf
@@ -40,5 +40,5 @@ variable "backend_dns_name" {
 
 variable "x_allow_secret" {
   description = "X-Allow header secret"
-  type = string
+  type        = string
 }
\ No newline at end of file

From 69367f9949f975951cff37f30163adad00e136fc Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 21 Mar 2024 09:16:28 -0400
Subject: [PATCH 109/298] initial commit

---
 .../data-store/cache/.terraform.lock.hcl      |  19 ++
 .../data-store/cache/terragrunt.hcl           |  51 +++++
 .../data-store/database/.terraform.lock.hcl   |  38 ++++
 .../data-store/database/terragrunt.hcl        |  63 ++++++
 tofu/environments/production/environment.hcl  |  10 +
 .../production/environment_vars.yaml          |   4 +
 .../network/vpc/.terraform.lock.hcl           |  20 ++
 .../production/network/vpc/terragrunt.hcl     |  31 +++
 .../services/backend/.terraform.lock.hcl      |  20 ++
 .../services/backend/terragrunt.hcl           |  50 +++++
 .../services/frontend/.terraform.lock.hcl     |  19 ++
 .../services/frontend/terragrunt.hcl          |  46 ++++
 .../terraform/tfbackend/.terraform.lock.hcl   |  19 ++
 .../terraform/tfbackend/terragrunt.hcl        |  28 +++
 .../stage/network/vpc/.terraform.lock.hcl     |  20 ++
 .../services/backend/.terraform.lock.hcl      |  20 ++
 .../stage/services/backend/terragrunt.hcl     |  50 +++++
 tofu/modules/services/backend/main.tf         | 206 ++++++++++++++++++
 tofu/modules/services/backend/outputs.tf      |  11 +
 tofu/modules/services/backend/variables.tf    |  49 +++++
 20 files changed, 774 insertions(+)
 create mode 100644 tofu/environments/production/data-store/cache/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/data-store/cache/terragrunt.hcl
 create mode 100644 tofu/environments/production/data-store/database/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/data-store/database/terragrunt.hcl
 create mode 100644 tofu/environments/production/environment.hcl
 create mode 100644 tofu/environments/production/environment_vars.yaml
 create mode 100644 tofu/environments/production/network/vpc/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/network/vpc/terragrunt.hcl
 create mode 100644 tofu/environments/production/services/backend/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/services/backend/terragrunt.hcl
 create mode 100644 tofu/environments/production/services/frontend/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/services/frontend/terragrunt.hcl
 create mode 100644 tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/terraform/tfbackend/terragrunt.hcl
 create mode 100644 tofu/environments/stage/network/vpc/.terraform.lock.hcl
 create mode 100644 tofu/environments/stage/services/backend/.terraform.lock.hcl
 create mode 100644 tofu/environments/stage/services/backend/terragrunt.hcl
 create mode 100644 tofu/modules/services/backend/main.tf
 create mode 100644 tofu/modules/services/backend/outputs.tf
 create mode 100644 tofu/modules/services/backend/variables.tf

diff --git a/tofu/environments/production/data-store/cache/.terraform.lock.hcl b/tofu/environments/production/data-store/cache/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/production/data-store/cache/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
new file mode 100644
index 000000000..38984b063
--- /dev/null
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -0,0 +1,51 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/data-store/cache"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                 = "mock_vpc_id"
+    subnets                = []
+    source_security_groups = []
+  }
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    security_group_id = "mock_sg_id"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  name_prefix            = local.name_prefix
+  vpc                    = dependency.vpc.outputs.vpc_id
+  subnets                = dependency.vpc.outputs.database_subnets
+  source_security_groups = [dependency.backend.outputs.security_group_id]
+  tags                   = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/data-store/database/.terraform.lock.hcl b/tofu/environments/production/data-store/database/.terraform.lock.hcl
new file mode 100644
index 000000000..520f9bfec
--- /dev/null
+++ b/tofu/environments/production/data-store/database/.terraform.lock.hcl
@@ -0,0 +1,38 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 5.36.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version     = "3.6.0"
+  constraints = ">= 3.1.0"
+  hashes = [
+    "h1:6QMZ6JACl+V2t8daN5GTlw22EtG7nhc3BbkbJDw2a5M=",
+    "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75",
+    "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3",
+    "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23",
+    "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2",
+    "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9",
+    "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a",
+    "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4",
+    "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24",
+    "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4",
+    "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685",
+  ]
+}
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
new file mode 100644
index 000000000..17e31130f
--- /dev/null
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -0,0 +1,63 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/data-store/database"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                 = "mock_vpc_id"
+    subnets                = []
+    source_security_groups = []
+  }
+}
+
+dependency "cache" {
+  config_path = "../cache"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    security_group_id = "mock_sg_id"
+  }
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    security_group_id = "sg-mocksecuritygroup"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment                = local.environment
+  name_prefix                = local.name_prefix
+  region                     = local.region
+  vpc                        = dependency.vpc.outputs.vpc_id
+  subnet_group               = dependency.vpc.outputs.database_subnet_group
+  elasticache_security_group = dependency.cache.outputs.security_group_id
+  backend_security_group     = dependency.backend.outputs.security_group_id
+  tags                       = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/environment.hcl b/tofu/environments/production/environment.hcl
new file mode 100644
index 000000000..6aa839efa
--- /dev/null
+++ b/tofu/environments/production/environment.hcl
@@ -0,0 +1,10 @@
+locals {
+  environment_vars = yamldecode(file("environment_vars.yaml"))
+
+  environment = local.environment_vars.environment
+  region      = local.environment_vars.region
+
+  tags = {
+    environment = local.environment
+  }
+}
\ No newline at end of file
diff --git a/tofu/environments/production/environment_vars.yaml b/tofu/environments/production/environment_vars.yaml
new file mode 100644
index 000000000..e415a0ef9
--- /dev/null
+++ b/tofu/environments/production/environment_vars.yaml
@@ -0,0 +1,4 @@
+---
+environment: production
+region: us-east-1
+...
\ No newline at end of file
diff --git a/tofu/environments/production/network/vpc/.terraform.lock.hcl b/tofu/environments/production/network/vpc/.terraform.lock.hcl
new file mode 100644
index 000000000..c8048244a
--- /dev/null
+++ b/tofu/environments/production/network/vpc/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 4.0.0, >= 5.30.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/network/vpc/terragrunt.hcl b/tofu/environments/production/network/vpc/terragrunt.hcl
new file mode 100644
index 000000000..edae031a7
--- /dev/null
+++ b/tofu/environments/production/network/vpc/terragrunt.hcl
@@ -0,0 +1,31 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/network/vpc"
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment = local.environment
+  name_prefix = local.name_prefix
+  region      = local.region
+  vpc_cidr    = "10.0.0.0/16"
+  tags        = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/services/backend/.terraform.lock.hcl b/tofu/environments/production/services/backend/.terraform.lock.hcl
new file mode 100644
index 000000000..16bf2d314
--- /dev/null
+++ b/tofu/environments/production/services/backend/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 4.66.1, >= 5.33.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/services/backend/terragrunt.hcl b/tofu/environments/production/services/backend/terragrunt.hcl
new file mode 100644
index 000000000..15a0c4d04
--- /dev/null
+++ b/tofu/environments/production/services/backend/terragrunt.hcl
@@ -0,0 +1,50 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/backend"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                          = "mock_vpc_id"
+    subnets                         = []
+    ecr_endpoint_security_group     = "mock_sg"
+    secrets_endpoint_security_group = "mock_sg"
+    logs_endpoint_security_group    = "mock_sg"
+    database_subnet_cidrs           = ["10.0.1.0/24", "10.0.2.0/24"]
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment                     = local.environment
+  name_prefix                     = local.name_prefix
+  region                          = local.region
+  vpc                             = dependency.vpc.outputs.vpc_id
+  subnets                         = dependency.vpc.outputs.private_subnets
+  ecr_endpoint_security_group     = dependency.vpc.outputs.ecr_endpoint_security_group
+  secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
+  logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
+  database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
+  tags                            = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/services/frontend/.terraform.lock.hcl b/tofu/environments/production/services/frontend/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/production/services/frontend/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
new file mode 100644
index 000000000..275e71ba4
--- /dev/null
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -0,0 +1,46 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/frontend"
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    id       = "mock_alb_id"
+    dns_name = "mock_dns_name"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+
+
+  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4"
+}
+
+inputs = {
+  environment      = local.environment
+  name_prefix      = local.name_prefix
+  region           = local.region
+  tags             = local.tags
+  ssl_cert         = local.ssl_cert
+  backend_id       = dependency.backend.outputs.id
+  backend_dns_name = dependency.backend.outputs.dns_name
+}
\ No newline at end of file
diff --git a/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl b/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/terraform/tfbackend/terragrunt.hcl b/tofu/environments/production/terraform/tfbackend/terragrunt.hcl
new file mode 100644
index 000000000..74efdd318
--- /dev/null
+++ b/tofu/environments/production/terraform/tfbackend/terragrunt.hcl
@@ -0,0 +1,28 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/terraform/tfbackend"
+}
+
+locals {
+  bucket_name = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-state"
+  table_name  = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-locks"
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  bucket_name = local.bucket_name
+  table_name  = local.table_name
+  tags        = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/stage/network/vpc/.terraform.lock.hcl b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
new file mode 100644
index 000000000..c8048244a
--- /dev/null
+++ b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 4.0.0, >= 5.30.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/stage/services/backend/.terraform.lock.hcl b/tofu/environments/stage/services/backend/.terraform.lock.hcl
new file mode 100644
index 000000000..16bf2d314
--- /dev/null
+++ b/tofu/environments/stage/services/backend/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 4.66.1, >= 5.33.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/stage/services/backend/terragrunt.hcl b/tofu/environments/stage/services/backend/terragrunt.hcl
new file mode 100644
index 000000000..15a0c4d04
--- /dev/null
+++ b/tofu/environments/stage/services/backend/terragrunt.hcl
@@ -0,0 +1,50 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/backend"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                          = "mock_vpc_id"
+    subnets                         = []
+    ecr_endpoint_security_group     = "mock_sg"
+    secrets_endpoint_security_group = "mock_sg"
+    logs_endpoint_security_group    = "mock_sg"
+    database_subnet_cidrs           = ["10.0.1.0/24", "10.0.2.0/24"]
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment                     = local.environment
+  name_prefix                     = local.name_prefix
+  region                          = local.region
+  vpc                             = dependency.vpc.outputs.vpc_id
+  subnets                         = dependency.vpc.outputs.private_subnets
+  ecr_endpoint_security_group     = dependency.vpc.outputs.ecr_endpoint_security_group
+  secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
+  logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
+  database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
+  tags                            = local.tags
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/main.tf b/tofu/modules/services/backend/main.tf
new file mode 100644
index 000000000..0c8de7f96
--- /dev/null
+++ b/tofu/modules/services/backend/main.tf
@@ -0,0 +1,206 @@
+data "aws_ec2_managed_prefix_list" "cloudfront" {
+  name = "com.amazonaws.global.cloudfront.origin-facing"
+}
+
+data "aws_region" "current" {}
+
+data "aws_prefix_list" "s3" {
+  name = "com.amazonaws.${data.aws_region.current.name}.s3"
+}
+
+locals {
+  target_group_key = "${var.name_prefix}-ecs-backend"
+}
+
+module "ecs_cluster" {
+  source = "github.com/terraform-aws-modules/terraform-aws-ecs/modules/cluster"
+
+  cluster_name = var.name_prefix
+
+  # Capacity provider
+  fargate_capacity_providers = {
+    FARGATE = {
+      default_capacity_provider_strategy = {
+        weight = 100
+      }
+    }
+  }
+  tags = var.tags
+}
+
+/*resource "aws_ecs_service" "backend_service" {
+  name    = "${var.name_prefix}-backend"
+  cluster = module.ecs_cluster.id
+
+  launch_type = "FARGATE"
+
+  load_balancer {
+    target_group_arn = module.backend_alb.target_groups["${local.target_group_key}"].arn
+    container_name   = "backend"
+    container_port   = 5000
+  }
+
+  network_configuration {
+    security_groups = [aws_security_group.backend.id]
+    subnets         = var.subnets
+  }
+
+  #task_definition = "arn:aws:ecs:${var.region}:768512802988:task-definition/${var.name_prefix}-backend"
+  desired_count   = 1
+  tags            = var.tags
+}*/
+
+module "backend_alb" {
+  source  = "terraform-aws-modules/alb/aws"
+  version = "~> 9.0"
+
+  name                = "${var.name_prefix}-backend"
+  security_group_name = "${var.name_prefix}-backend-alb"
+
+  load_balancer_type = "application"
+
+  vpc_id  = var.vpc
+  subnets = var.subnets
+
+  enable_deletion_protection = false #var.environment != "sandbox" ? true : false
+
+  security_group_ingress_rules = {
+    inbound = {
+      from_port                    = 5000
+      to_port                      = 5000
+      ip_protocol                  = "tcp"
+      prefix_list_id = data.aws_ec2_managed_prefix_list.cloudfront.id
+    }
+  }
+
+  security_group_egress_rules = {
+    outbound = {
+      from_port                    = 5000
+      to_port                      = 5000
+      ip_protocol                  = "tcp"
+      referenced_security_group_id = aws_security_group.backend.id
+    }
+  }
+
+  listeners = {
+    http = {
+      port     = 5000
+      protocol = "HTTP"
+
+      forward = {
+        target_group_key = local.target_group_key
+      }
+      rules = {
+        custom-header = {
+          actions = [{
+            type             = "forward"
+            target_group_key = local.target_group_key 
+          }]
+          conditions = [{
+            http_header = {
+              http_header_name = "X-Allow"
+              values           = ["test"]
+            }
+          }]
+        }
+      }
+    }
+  }
+
+  target_groups = {
+    "${local.target_group_key}" = {
+      name                              = "${var.name_prefix}-ecs-backend"
+      protocol                          = "HTTP"
+      port                              = 5000
+      target_type                       = "ip"
+      deregistration_delay              = 5
+      load_balancing_cross_zone_enabled = true
+
+      health_check = {
+        enabled             = true
+        healthy_threshold   = 5
+        interval            = 30
+        matcher             = "200"
+        path                = "/api/v1"
+        port                = "traffic-port"
+        protocol            = "HTTP"
+        timeout             = 5
+        unhealthy_threshold = 2
+      }
+
+      # There's nothing to attach here in this definition. Instead,
+      # ECS will attach the IPs of the tasks to this target group
+      create_attachment = false
+    }
+  }
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-backend-alb"
+  })
+  security_group_tags = {
+    Name = "${var.name_prefix}-backend-alb"
+  }
+}
+
+resource "aws_security_group" "backend" {
+  name        = "${var.name_prefix}-backend"
+  description = "Appointment backend traffic"
+  vpc_id      = var.vpc
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-backend"
+  })
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_backend_alb" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "5000 from ALB"
+  from_port                    = 5000
+  to_port                      = 5000
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = module.backend_alb.security_group_id
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_mysql_to_DB_subnets" {
+  for_each = toset(var.database_subnet_cidrs)
+  security_group_id            = aws_security_group.backend.id
+  description                  = "mysql to DB"
+  from_port                    = 3306
+  to_port                      = 3306
+  ip_protocol                  = "tcp"
+  cidr_ipv4 = each.value
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_ecr_endpoints" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "TLS to ECR endpoints"
+  from_port                    = 443
+  to_port                      = 443
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.ecr_endpoint_security_group
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_logs_endpoint" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "TLS to logs endpoint"
+  from_port                    = 443
+  to_port                      = 443
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.logs_endpoint_security_group
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_secrets_endpoint" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "TLS to secrets endpoint"
+  from_port                    = 443
+  to_port                      = 443
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.secrets_endpoint_security_group
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_s3_endpoint" {
+  security_group_id = aws_security_group.backend.id
+  description       = "TLS to S3 endpoint"
+  from_port         = 443
+  to_port           = 443
+  ip_protocol       = "tcp"
+  prefix_list_id    = data.aws_prefix_list.s3.id
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/outputs.tf b/tofu/modules/services/backend/outputs.tf
new file mode 100644
index 000000000..031f8a182
--- /dev/null
+++ b/tofu/modules/services/backend/outputs.tf
@@ -0,0 +1,11 @@
+output "id" {
+  value = module.backend_alb.id
+}
+
+output "dns_name" {
+  value = module.backend_alb.dns_name
+}
+
+output "security_group_id" {
+  value = aws_security_group.backend.id
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/variables.tf b/tofu/modules/services/backend/variables.tf
new file mode 100644
index 000000000..01f678582
--- /dev/null
+++ b/tofu/modules/services/backend/variables.tf
@@ -0,0 +1,49 @@
+variable "environment" {
+  description = "Application environment ie. staging, production, etc..."
+  type        = string
+}
+
+variable "name_prefix" {
+  description = "Prefix to be used with all resource names"
+  type        = string
+}
+
+variable "region" {
+  description = "Deployment region"
+  type        = string
+}
+
+variable "tags" {
+  description = "Common tags"
+  type        = map(string)
+}
+
+variable "vpc" {
+  description = "VPC ID"
+  type        = string
+}
+
+variable "subnets" {
+  description = "Backend subnets"
+  type        = list(any)
+}
+
+variable "ecr_endpoint_security_group" {
+  description = "ECR API & DKS VPC endpoint security group"
+  type        = string
+}
+
+variable "secrets_endpoint_security_group" {
+  description = "Secrets Manager VPC endpoint security group"
+  type        = string
+}
+
+variable "logs_endpoint_security_group" {
+  description = "Cloudwatch logs VPC endpoint security group"
+  type        = string
+}
+
+variable "database_subnet_cidrs" {
+  description = "Database subnet CIDRs"
+  type        = list
+}
\ No newline at end of file

From 0f4705bffaa8e0e15a052cf2d6e1b35624da3411 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:11:01 -0400
Subject: [PATCH 110/298] add backend service

---
 tofu/README.md                                |   9 +
 .../data-store/cache/terragrunt.hcl           |   4 +-
 .../data-store/database/terragrunt.hcl        |   2 +-
 .../.terraform.lock.hcl                       |   0
 .../{backend => backend-infra}/terragrunt.hcl |   2 +-
 .../services/frontend/terragrunt.hcl          |   2 +-
 .../services/backend/.terraform.lock.hcl      |  20 --
 .../stage/services/backend/terragrunt.hcl     |  50 -----
 tofu/modules/services/backend/main.tf         | 206 ------------------
 tofu/modules/services/backend/outputs.tf      |  11 -
 tofu/modules/services/backend/variables.tf    |  49 -----
 11 files changed, 14 insertions(+), 341 deletions(-)
 rename tofu/environments/production/services/{backend => backend-infra}/.terraform.lock.hcl (100%)
 rename tofu/environments/production/services/{backend => backend-infra}/terragrunt.hcl (96%)
 delete mode 100644 tofu/environments/stage/services/backend/.terraform.lock.hcl
 delete mode 100644 tofu/environments/stage/services/backend/terragrunt.hcl
 delete mode 100644 tofu/modules/services/backend/main.tf
 delete mode 100644 tofu/modules/services/backend/outputs.tf
 delete mode 100644 tofu/modules/services/backend/variables.tf

diff --git a/tofu/README.md b/tofu/README.md
index 4739706ce..05a53ffc5 100644
--- a/tofu/README.md
+++ b/tofu/README.md
@@ -105,3 +105,12 @@ These should be deployed in the following order and generally will only be updat
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
+
+### Application Stacks
+
+1. tofu/environments/\<env>/services/backend-service
+   1. `cd tofu/environments/<env>/services/backend-service`
+   2. `terragrun init`
+   3. `terragrunt validate`
+   4. `terragrunt plan -out tfplan`
+   5. `terragrunt apply tfplan`
diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index 38984b063..a5221540a 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -24,9 +24,9 @@ dependency "vpc" {
 }
 
 dependency "backend" {
-  config_path = "../../services/backend"
+  config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index 17e31130f..082ef325d 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -35,7 +35,7 @@ dependency "cache" {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }
diff --git a/tofu/environments/production/services/backend/.terraform.lock.hcl b/tofu/environments/production/services/backend-infra/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/production/services/backend/.terraform.lock.hcl
rename to tofu/environments/production/services/backend-infra/.terraform.lock.hcl
diff --git a/tofu/environments/production/services/backend/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
similarity index 96%
rename from tofu/environments/production/services/backend/terragrunt.hcl
rename to tofu/environments/production/services/backend-infra/terragrunt.hcl
index 15a0c4d04..4e84c4c63 100644
--- a/tofu/environments/production/services/backend/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -9,7 +9,7 @@ include "environment" {
 }
 
 terraform {
-  source = "../../../../modules/services/backend"
+  source = "../../../../modules/services/backend-infra"
 }
 
 dependency "vpc" {
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index 275e71ba4..d90141733 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate","destroy"]
   mock_outputs = {
     id       = "mock_alb_id"
     dns_name = "mock_dns_name"
diff --git a/tofu/environments/stage/services/backend/.terraform.lock.hcl b/tofu/environments/stage/services/backend/.terraform.lock.hcl
deleted file mode 100644
index 16bf2d314..000000000
--- a/tofu/environments/stage/services/backend/.terraform.lock.hcl
+++ /dev/null
@@ -1,20 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
-  constraints = ">= 4.66.1, >= 5.33.0"
-  hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
-  ]
-}
diff --git a/tofu/environments/stage/services/backend/terragrunt.hcl b/tofu/environments/stage/services/backend/terragrunt.hcl
deleted file mode 100644
index 15a0c4d04..000000000
--- a/tofu/environments/stage/services/backend/terragrunt.hcl
+++ /dev/null
@@ -1,50 +0,0 @@
-include "root" {
-  path   = find_in_parent_folders()
-  expose = true
-}
-
-include "environment" {
-  path   = find_in_parent_folders("environment.hcl")
-  expose = true
-}
-
-terraform {
-  source = "../../../../modules/services/backend"
-}
-
-dependency "vpc" {
-  config_path = "../../network/vpc"
-
-  mock_outputs_allowed_terraform_commands = ["validate"]
-  mock_outputs = {
-    vpc_id                          = "mock_vpc_id"
-    subnets                         = []
-    ecr_endpoint_security_group     = "mock_sg"
-    secrets_endpoint_security_group = "mock_sg"
-    logs_endpoint_security_group    = "mock_sg"
-    database_subnet_cidrs           = ["10.0.1.0/24", "10.0.2.0/24"]
-  }
-}
-
-locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
-
-  project_tags     = include.root.locals.tags
-  environment_tags = include.environment.locals.tags
-  tags             = "${merge(local.project_tags, local.environment_tags)}"
-}
-
-inputs = {
-  environment                     = local.environment
-  name_prefix                     = local.name_prefix
-  region                          = local.region
-  vpc                             = dependency.vpc.outputs.vpc_id
-  subnets                         = dependency.vpc.outputs.private_subnets
-  ecr_endpoint_security_group     = dependency.vpc.outputs.ecr_endpoint_security_group
-  secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
-  logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
-  database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
-  tags                            = local.tags
-}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/main.tf b/tofu/modules/services/backend/main.tf
deleted file mode 100644
index 0c8de7f96..000000000
--- a/tofu/modules/services/backend/main.tf
+++ /dev/null
@@ -1,206 +0,0 @@
-data "aws_ec2_managed_prefix_list" "cloudfront" {
-  name = "com.amazonaws.global.cloudfront.origin-facing"
-}
-
-data "aws_region" "current" {}
-
-data "aws_prefix_list" "s3" {
-  name = "com.amazonaws.${data.aws_region.current.name}.s3"
-}
-
-locals {
-  target_group_key = "${var.name_prefix}-ecs-backend"
-}
-
-module "ecs_cluster" {
-  source = "github.com/terraform-aws-modules/terraform-aws-ecs/modules/cluster"
-
-  cluster_name = var.name_prefix
-
-  # Capacity provider
-  fargate_capacity_providers = {
-    FARGATE = {
-      default_capacity_provider_strategy = {
-        weight = 100
-      }
-    }
-  }
-  tags = var.tags
-}
-
-/*resource "aws_ecs_service" "backend_service" {
-  name    = "${var.name_prefix}-backend"
-  cluster = module.ecs_cluster.id
-
-  launch_type = "FARGATE"
-
-  load_balancer {
-    target_group_arn = module.backend_alb.target_groups["${local.target_group_key}"].arn
-    container_name   = "backend"
-    container_port   = 5000
-  }
-
-  network_configuration {
-    security_groups = [aws_security_group.backend.id]
-    subnets         = var.subnets
-  }
-
-  #task_definition = "arn:aws:ecs:${var.region}:768512802988:task-definition/${var.name_prefix}-backend"
-  desired_count   = 1
-  tags            = var.tags
-}*/
-
-module "backend_alb" {
-  source  = "terraform-aws-modules/alb/aws"
-  version = "~> 9.0"
-
-  name                = "${var.name_prefix}-backend"
-  security_group_name = "${var.name_prefix}-backend-alb"
-
-  load_balancer_type = "application"
-
-  vpc_id  = var.vpc
-  subnets = var.subnets
-
-  enable_deletion_protection = false #var.environment != "sandbox" ? true : false
-
-  security_group_ingress_rules = {
-    inbound = {
-      from_port                    = 5000
-      to_port                      = 5000
-      ip_protocol                  = "tcp"
-      prefix_list_id = data.aws_ec2_managed_prefix_list.cloudfront.id
-    }
-  }
-
-  security_group_egress_rules = {
-    outbound = {
-      from_port                    = 5000
-      to_port                      = 5000
-      ip_protocol                  = "tcp"
-      referenced_security_group_id = aws_security_group.backend.id
-    }
-  }
-
-  listeners = {
-    http = {
-      port     = 5000
-      protocol = "HTTP"
-
-      forward = {
-        target_group_key = local.target_group_key
-      }
-      rules = {
-        custom-header = {
-          actions = [{
-            type             = "forward"
-            target_group_key = local.target_group_key 
-          }]
-          conditions = [{
-            http_header = {
-              http_header_name = "X-Allow"
-              values           = ["test"]
-            }
-          }]
-        }
-      }
-    }
-  }
-
-  target_groups = {
-    "${local.target_group_key}" = {
-      name                              = "${var.name_prefix}-ecs-backend"
-      protocol                          = "HTTP"
-      port                              = 5000
-      target_type                       = "ip"
-      deregistration_delay              = 5
-      load_balancing_cross_zone_enabled = true
-
-      health_check = {
-        enabled             = true
-        healthy_threshold   = 5
-        interval            = 30
-        matcher             = "200"
-        path                = "/api/v1"
-        port                = "traffic-port"
-        protocol            = "HTTP"
-        timeout             = 5
-        unhealthy_threshold = 2
-      }
-
-      # There's nothing to attach here in this definition. Instead,
-      # ECS will attach the IPs of the tasks to this target group
-      create_attachment = false
-    }
-  }
-  tags = merge(var.tags, {
-    Name = "${var.name_prefix}-backend-alb"
-  })
-  security_group_tags = {
-    Name = "${var.name_prefix}-backend-alb"
-  }
-}
-
-resource "aws_security_group" "backend" {
-  name        = "${var.name_prefix}-backend"
-  description = "Appointment backend traffic"
-  vpc_id      = var.vpc
-  tags = merge(var.tags, {
-    Name = "${var.name_prefix}-backend"
-  })
-}
-
-resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_backend_alb" {
-  security_group_id            = aws_security_group.backend.id
-  description                  = "5000 from ALB"
-  from_port                    = 5000
-  to_port                      = 5000
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = module.backend_alb.security_group_id
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_mysql_to_DB_subnets" {
-  for_each = toset(var.database_subnet_cidrs)
-  security_group_id            = aws_security_group.backend.id
-  description                  = "mysql to DB"
-  from_port                    = 3306
-  to_port                      = 3306
-  ip_protocol                  = "tcp"
-  cidr_ipv4 = each.value
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_to_ecr_endpoints" {
-  security_group_id            = aws_security_group.backend.id
-  description                  = "TLS to ECR endpoints"
-  from_port                    = 443
-  to_port                      = 443
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = var.ecr_endpoint_security_group
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_to_logs_endpoint" {
-  security_group_id            = aws_security_group.backend.id
-  description                  = "TLS to logs endpoint"
-  from_port                    = 443
-  to_port                      = 443
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = var.logs_endpoint_security_group
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_to_secrets_endpoint" {
-  security_group_id            = aws_security_group.backend.id
-  description                  = "TLS to secrets endpoint"
-  from_port                    = 443
-  to_port                      = 443
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = var.secrets_endpoint_security_group
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_to_s3_endpoint" {
-  security_group_id = aws_security_group.backend.id
-  description       = "TLS to S3 endpoint"
-  from_port         = 443
-  to_port           = 443
-  ip_protocol       = "tcp"
-  prefix_list_id    = data.aws_prefix_list.s3.id
-}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/outputs.tf b/tofu/modules/services/backend/outputs.tf
deleted file mode 100644
index 031f8a182..000000000
--- a/tofu/modules/services/backend/outputs.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-output "id" {
-  value = module.backend_alb.id
-}
-
-output "dns_name" {
-  value = module.backend_alb.dns_name
-}
-
-output "security_group_id" {
-  value = aws_security_group.backend.id
-}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/variables.tf b/tofu/modules/services/backend/variables.tf
deleted file mode 100644
index 01f678582..000000000
--- a/tofu/modules/services/backend/variables.tf
+++ /dev/null
@@ -1,49 +0,0 @@
-variable "environment" {
-  description = "Application environment ie. staging, production, etc..."
-  type        = string
-}
-
-variable "name_prefix" {
-  description = "Prefix to be used with all resource names"
-  type        = string
-}
-
-variable "region" {
-  description = "Deployment region"
-  type        = string
-}
-
-variable "tags" {
-  description = "Common tags"
-  type        = map(string)
-}
-
-variable "vpc" {
-  description = "VPC ID"
-  type        = string
-}
-
-variable "subnets" {
-  description = "Backend subnets"
-  type        = list(any)
-}
-
-variable "ecr_endpoint_security_group" {
-  description = "ECR API & DKS VPC endpoint security group"
-  type        = string
-}
-
-variable "secrets_endpoint_security_group" {
-  description = "Secrets Manager VPC endpoint security group"
-  type        = string
-}
-
-variable "logs_endpoint_security_group" {
-  description = "Cloudwatch logs VPC endpoint security group"
-  type        = string
-}
-
-variable "database_subnet_cidrs" {
-  description = "Database subnet CIDRs"
-  type        = list
-}
\ No newline at end of file

From 143c6ec935e8b3bfe60d899abd91908590be385e Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:11:55 -0400
Subject: [PATCH 111/298] initial iac validation code

---
 .github/workflows/deploy.yaml       |  0
 .github/workflows/iac_plan.yaml     |  0
 .github/workflows/iac_validate.yaml | 26 ++++++++++++++++++++++++++
 .github/workflows/main.yaml         |  0
 4 files changed, 26 insertions(+)
 create mode 100644 .github/workflows/deploy.yaml
 create mode 100644 .github/workflows/iac_plan.yaml
 create mode 100644 .github/workflows/iac_validate.yaml
 create mode 100644 .github/workflows/main.yaml

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
new file mode 100644
index 000000000..e69de29bb
diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
new file mode 100644
index 000000000..e69de29bb
diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
new file mode 100644
index 000000000..49acd0991
--- /dev/null
+++ b/.github/workflows/iac_validate.yaml
@@ -0,0 +1,26 @@
+name: validate-iac
+on: 
+  push:
+  workflow_call:
+env:
+  tf_version: '1.6.2'
+  tg_version: '0.55.15'
+  environment: 'stage'
+
+jobs:
+  validate-iac:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{ env.tf_version }}
+      - run: |
+          git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
+          sudo ln -s ~/.tgenv/bin* /usr/local/bin
+          tgenv install ${{ env.tg_version }}
+      - run: |
+          cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
+          terragrun init
+          terragrunt validate
+
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
new file mode 100644
index 000000000..e69de29bb

From b6e1364b70dc253fab528fce1a11d4503e5b9f60 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:15:35 -0400
Subject: [PATCH 112/298] fixed tgenv path

---
 .github/workflows/iac_validate.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 49acd0991..34208137b 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -17,8 +17,7 @@ jobs:
           tofu_version: ${{ env.tf_version }}
       - run: |
           git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
-          sudo ln -s ~/.tgenv/bin* /usr/local/bin
-          tgenv install ${{ env.tg_version }}
+          ~/.tgenv/bin/tgenv install ${{ env.tg_version }}
       - run: |
           cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
           terragrun init

From 46f557f1a054fc0829f7f45d87d5fe96973c599c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:25:56 -0400
Subject: [PATCH 113/298] tgenv error

---
 .github/workflows/iac_validate.yaml | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 34208137b..94f2aa82a 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -12,13 +12,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: opentofu/setup-opentofu@v1
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
         with: 
           tofu_version: ${{ env.tf_version }}
-      - run: |
-          git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
-          ~/.tgenv/bin/tgenv install ${{ env.tg_version }}
-      - run: |
+      - name: install tgenv
+        run: git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
+      - name: install terragrunt
+        run: ~/.tgenv/bin/tgenv install ${{ env.tg_version }}
+      - name: validate
+        run: |
           cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
           terragrun init
           terragrunt validate

From fbef6f5c95ae12c8a701efbdd64cfcd8ff805bdd Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 11:49:59 -0400
Subject: [PATCH 114/298] terragrunt manual install

---
 .github/workflows/iac_validate.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 94f2aa82a..1d06f84df 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -16,10 +16,11 @@ jobs:
         uses: opentofu/setup-opentofu@v1
         with: 
           tofu_version: ${{ env.tf_version }}
-      - name: install tgenv
-        run: git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
       - name: install terragrunt
-        run: ~/.tgenv/bin/tgenv install ${{ env.tg_version }}
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
       - name: validate
         run: |
           cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend

From 03f013d2cbf0e415a41be09732f936ab202af019 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 11:51:13 -0400
Subject: [PATCH 115/298] fix typo

---
 .github/workflows/iac_validate.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 1d06f84df..f693834ae 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -24,6 +24,6 @@ jobs:
       - name: validate
         run: |
           cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
-          terragrun init
+          terragrunt init
           terragrunt validate
 

From d5ad6beb6dca1db7280bbb3c019008bd0713b49a Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 11:58:40 -0400
Subject: [PATCH 116/298] add all tf

---
 .github/workflows/iac_validate.yaml | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index f693834ae..cb7c79ffa 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -21,9 +21,28 @@ jobs:
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
-      - name: validate
+      - name: validate vpc
         run: |
-          cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
+          cd ./tofu/environments/${{ env.environment }}/network/vpc
+          terragrunt init
+          terragrunt validate
+      - name: validate backend
+        run: |
+          cd ../../services/backend-infra
+          terragrunt init
+          terragrunt validate
+      - name: validate cache
+        run: |
+          cd ../../data-store/cache
+          terragrunt init
+          terragrunt validate
+      - name: validate database
+        run: |
+          cd ../../data-store/database
+          terragrunt init
+          terragrunt validate
+      - name: validate frontend
+        run: |
+          cd ../../services/frontend
           terragrunt init
           terragrunt validate
-

From 0b56307ffb30e0ccbd966c1d7204d28b639acdfa Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:21:59 -0400
Subject: [PATCH 117/298] add working directories

---
 .github/workflows/iac_validate.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index cb7c79ffa..2160020e1 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -22,27 +22,27 @@ jobs:
           sudo chmod +x /bin/terragrunt
           terragrunt -v
       - name: validate vpc
+        working-directory: ./tofu/environments/${{ env.environment}}/network/vpc
         run: |
-          cd ./tofu/environments/${{ env.environment }}/network/vpc
           terragrunt init
           terragrunt validate
       - name: validate backend
+        working-directory: ./tofu/environments/${{ env.environment}}/services/backend-infra
         run: |
-          cd ../../services/backend-infra
           terragrunt init
           terragrunt validate
       - name: validate cache
+        working-directory: ./tofu/environments/${{ env.environment}}/data-store/cache
         run: |
-          cd ../../data-store/cache
           terragrunt init
           terragrunt validate
       - name: validate database
+        working-directory: ./tofu/environments/${{ env.environment}}/data-store/database
         run: |
-          cd ../../data-store/database
           terragrunt init
           terragrunt validate
       - name: validate frontend
+        working-directory: ./tofu/environments/${{ env.environment}}/services/frontend
         run: |
-          cd ../../services/frontend
           terragrunt init
           terragrunt validate

From 1632f9aa4955e3c09588450fbbc595a5a52f08e6 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:30:11 -0400
Subject: [PATCH 118/298] disable tofu wrapper

---
 .github/workflows/iac_validate.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 2160020e1..e87d010ad 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -16,6 +16,7 @@ jobs:
         uses: opentofu/setup-opentofu@v1
         with: 
           tofu_version: ${{ env.tf_version }}
+          tofu_wrapper: false
       - name: install terragrunt
         run: |
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"

From 1f84dfeae65484729618f8da8e38f13863b850e5 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 12:32:36 -0400
Subject: [PATCH 119/298] add aws creds

---
 .github/workflows/iac_validate.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index e87d010ad..3917c488f 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -6,12 +6,20 @@ env:
   tf_version: '1.6.2'
   tg_version: '0.55.15'
   environment: 'stage'
+  AWS_REGION: us-east-1
 
 jobs:
   validate-iac:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ env.AWS_REGION }}
       - name: install opentofu
         uses: opentofu/setup-opentofu@v1
         with: 

From d9adf52b1414e3047039dbbe116aafd1268e7ba7 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 13:31:53 -0400
Subject: [PATCH 120/298] add aws creds

---
 .github/workflows/iac_validate.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 3917c488f..dcd9bfa97 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -15,10 +15,10 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: ${{ secrets.IAM_ROLE}}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{ env.AWS_REGION }}
       - name: install opentofu
         uses: opentofu/setup-opentofu@v1

From d3ce6920f4bb013643e98d4912090e0c5bdc0259 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 13:33:48 -0400
Subject: [PATCH 121/298] add workflow permissions

---
 .github/workflows/iac_validate.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index dcd9bfa97..6e9a15c06 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -8,6 +8,10 @@ env:
   environment: 'stage'
   AWS_REGION: us-east-1
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   validate-iac:
     runs-on: ubuntu-latest

From 07c32dcecc8fb582afd77a4dcdd62bf0d392ec6b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 13:43:44 -0400
Subject: [PATCH 122/298] add iac plan

---
 .github/workflows/iac_plan.yaml | 61 +++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
index e69de29bb..2bfbd503b 100644
--- a/.github/workflows/iac_plan.yaml
+++ b/.github/workflows/iac_plan.yaml
@@ -0,0 +1,61 @@
+name: plan-iac
+on: 
+  push:
+  workflow_call:
+env:
+  tf_version: '1.6.2'
+  tg_version: '0.55.15'
+  environment: 'stage'
+  AWS_REGION: us-east-1
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  plan-iac:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE}}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ env.AWS_REGION }}
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{ env.tf_version }}
+          tofu_wrapper: false
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
+      - name: plan vpc
+        working-directory: ./tofu/environments/${{ env.environment}}/network/vpc
+        run: |
+          terragrunt init
+          terragrunt plan -out tfplan-vpc
+      - name: plan backend
+        working-directory: ./tofu/environments/${{ env.environment}}/services/backend-infra
+        run: |
+          terragrunt init
+          terragrunt plan -out tfplan-vpc
+      - name: plan cache
+        working-directory: ./tofu/environments/${{ env.environment}}/data-store/cache
+        run: |
+          terragrunt init
+          terragrunt plan -out tfplan-vpc
+      - name: plan database
+        working-directory: ./tofu/environments/${{ env.environment}}/data-store/database
+        run: |
+          terragrunt init
+          terragrunt plan -out tfplan-vpc
+      - name: plan frontend
+        working-directory: ./tofu/environments/${{ env.environment}}/services/frontend
+        run: |
+          terragrunt init
+          terragrunt plan -out tfplan-vpc

From efd2a20becfe4d0c8eb4005db8a7ad1a6767b7ab Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 13:47:43 -0400
Subject: [PATCH 123/298] add iac plan trigger

---
 .github/workflows/iac_plan.yaml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
index 2bfbd503b..3ce907f3c 100644
--- a/.github/workflows/iac_plan.yaml
+++ b/.github/workflows/iac_plan.yaml
@@ -1,7 +1,12 @@
 name: plan-iac
-on: 
-  push:
+
+on:
   workflow_call:
+  workflow_run:
+    workflows: [validate-iac]
+    types:
+      - completed
+
 env:
   tf_version: '1.6.2'
   tg_version: '0.55.15'

From 28ba6a94c9d7d5cc829b92c9444226ae820616b9 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 13:56:25 -0400
Subject: [PATCH 124/298] DJUST iac workflow triggers

---
 .github/workflows/deploy.yaml       | 0
 .github/workflows/iac_plan.yaml     | 1 +
 .github/workflows/iac_validate.yaml | 2 ++
 .github/workflows/main.yaml         | 0
 4 files changed, 3 insertions(+)
 delete mode 100644 .github/workflows/deploy.yaml
 delete mode 100644 .github/workflows/main.yaml

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
deleted file mode 100644
index e69de29bb..000000000
diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
index 3ce907f3c..feda523b5 100644
--- a/.github/workflows/iac_plan.yaml
+++ b/.github/workflows/iac_plan.yaml
@@ -20,6 +20,7 @@ permissions:
 jobs:
   plan-iac:
     runs-on: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
index 6e9a15c06..c8135cdb1 100644
--- a/.github/workflows/iac_validate.yaml
+++ b/.github/workflows/iac_validate.yaml
@@ -1,7 +1,9 @@
 name: validate-iac
+
 on: 
   push:
   workflow_call:
+
 env:
   tf_version: '1.6.2'
   tg_version: '0.55.15'
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
deleted file mode 100644
index e69de29bb..000000000

From f81adc7c6331d9e6a2fbc5040682e1326423db32 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 14:16:09 -0400
Subject: [PATCH 125/298] add plan-iac push trigger

---
 .github/workflows/iac_plan.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
index feda523b5..a9e6af2bd 100644
--- a/.github/workflows/iac_plan.yaml
+++ b/.github/workflows/iac_plan.yaml
@@ -1,6 +1,7 @@
 name: plan-iac
 
 on:
+  push:
   workflow_call:
   workflow_run:
     workflows: [validate-iac]

From 684c22636042b896c47d9bb15a90a70076cc605f Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 14:18:15 -0400
Subject: [PATCH 126/298] add plan-iac push trigger

---
 .github/workflows/iac_plan.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
index a9e6af2bd..5d918a6c1 100644
--- a/.github/workflows/iac_plan.yaml
+++ b/.github/workflows/iac_plan.yaml
@@ -21,7 +21,6 @@ permissions:
 jobs:
   plan-iac:
     runs-on: ubuntu-latest
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - uses: actions/checkout@v4
 

From 48926f2c6d3034dda84eb77febf2c25af827fbd4 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 15:31:03 -0400
Subject: [PATCH 127/298] fixed formatting

---
 .../production/services/frontend/terragrunt.hcl             | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index d90141733..fc2a1f092 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,9 +15,9 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate","destroy"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
-    id       = "mock_alb_id"
+    alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"
   }
 }
@@ -41,6 +41,6 @@ inputs = {
   region           = local.region
   tags             = local.tags
   ssl_cert         = local.ssl_cert
-  backend_id       = dependency.backend.outputs.id
+  backend_id       = dependency.backend.outputs.alb_id
   backend_dns_name = dependency.backend.outputs.dns_name
 }
\ No newline at end of file

From 35358e6bac8be291a079a91742ebcd5c4bb21b7e Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:16:19 -0400
Subject: [PATCH 128/298] added environment/module matrix

---
 .github/workflows/iac_apply.yaml    | 60 ++++++++++++++++++++++++++
 .github/workflows/iac_main.yaml     | 41 ++++++++++++++++++
 .github/workflows/iac_plan.yaml     | 67 -----------------------------
 .github/workflows/iac_validate.yaml | 63 ---------------------------
 .github/workflows/iac_verify.yaml   | 58 +++++++++++++++++++++++++
 5 files changed, 159 insertions(+), 130 deletions(-)
 create mode 100644 .github/workflows/iac_apply.yaml
 create mode 100644 .github/workflows/iac_main.yaml
 delete mode 100644 .github/workflows/iac_plan.yaml
 delete mode 100644 .github/workflows/iac_validate.yaml
 create mode 100644 .github/workflows/iac_verify.yaml

diff --git a/.github/workflows/iac_apply.yaml b/.github/workflows/iac_apply.yaml
new file mode 100644
index 000000000..56a8d0992
--- /dev/null
+++ b/.github/workflows/iac_apply.yaml
@@ -0,0 +1,60 @@
+name: apply-iac
+
+on: 
+  push:
+  workflow_call:
+    inputs:
+      tf_version:
+        required: true
+        type: string
+      tg_version:
+        required: true
+        type: string
+      aws_region:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+      module:
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  validate-iac:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{secrets.IAM_ROLE}}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{inputs.aws_region}}
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{inputs.tf_version}}
+          tofu_wrapper: false
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
+      - name: init
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt init
+      - name: validate
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt validate
+      - name: plan
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt plan -out tfplan
+      - name: apply
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt apply tfplan
diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
new file mode 100644
index 000000000..96a3e1e8e
--- /dev/null
+++ b/.github/workflows/iac_main.yaml
@@ -0,0 +1,41 @@
+name: IaC Main
+
+on:
+  push:
+
+env:
+  tf_version: '1.6.2'
+  tg_version: '0.55.15'
+  aws_region: us-east-1
+
+jobs:
+  verify:
+    if: github.ref != 'refs/heads/main'
+    strategy:
+      matrix:
+        environment: [stage, production]
+        module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
+    uses: ./.github/workflows/iac_verify.yaml
+    with:
+      tf_version: env.tf_version
+      tg_version: env.tg_version
+      aws_region: env.aws_region
+      environment: matrix.envrionment
+      module: matrix.module
+    secrets: inherit
+
+  apply:
+    if: github.ref == 'refs/heads/main'
+    strategy:
+      matrix:
+        environment: [stage]
+        module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
+    uses: ./.github/workflows/iac_apply.yaml
+    with:
+      tf_version: env.tf_version
+      tg_version: env.tg_version
+      aws_region: env.aws_region
+      environment: matrix.envrionment
+      module: matrix.module
+    secrets: inherit
+
diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
deleted file mode 100644
index 5d918a6c1..000000000
--- a/.github/workflows/iac_plan.yaml
+++ /dev/null
@@ -1,67 +0,0 @@
-name: plan-iac
-
-on:
-  push:
-  workflow_call:
-  workflow_run:
-    workflows: [validate-iac]
-    types:
-      - completed
-
-env:
-  tf_version: '1.6.2'
-  tg_version: '0.55.15'
-  environment: 'stage'
-  AWS_REGION: us-east-1
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  plan-iac:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.IAM_ROLE}}
-          role-session-name: GitHub_to_AWS_via_FederatedOIDC
-          aws-region: ${{ env.AWS_REGION }}
-      - name: install opentofu
-        uses: opentofu/setup-opentofu@v1
-        with: 
-          tofu_version: ${{ env.tf_version }}
-          tofu_wrapper: false
-      - name: install terragrunt
-        run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
-          sudo chmod +x /bin/terragrunt
-          terragrunt -v
-      - name: plan vpc
-        working-directory: ./tofu/environments/${{ env.environment}}/network/vpc
-        run: |
-          terragrunt init
-          terragrunt plan -out tfplan-vpc
-      - name: plan backend
-        working-directory: ./tofu/environments/${{ env.environment}}/services/backend-infra
-        run: |
-          terragrunt init
-          terragrunt plan -out tfplan-vpc
-      - name: plan cache
-        working-directory: ./tofu/environments/${{ env.environment}}/data-store/cache
-        run: |
-          terragrunt init
-          terragrunt plan -out tfplan-vpc
-      - name: plan database
-        working-directory: ./tofu/environments/${{ env.environment}}/data-store/database
-        run: |
-          terragrunt init
-          terragrunt plan -out tfplan-vpc
-      - name: plan frontend
-        working-directory: ./tofu/environments/${{ env.environment}}/services/frontend
-        run: |
-          terragrunt init
-          terragrunt plan -out tfplan-vpc
diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
deleted file mode 100644
index c8135cdb1..000000000
--- a/.github/workflows/iac_validate.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
-name: validate-iac
-
-on: 
-  push:
-  workflow_call:
-
-env:
-  tf_version: '1.6.2'
-  tg_version: '0.55.15'
-  environment: 'stage'
-  AWS_REGION: us-east-1
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  validate-iac:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.IAM_ROLE}}
-          role-session-name: GitHub_to_AWS_via_FederatedOIDC
-          aws-region: ${{ env.AWS_REGION }}
-      - name: install opentofu
-        uses: opentofu/setup-opentofu@v1
-        with: 
-          tofu_version: ${{ env.tf_version }}
-          tofu_wrapper: false
-      - name: install terragrunt
-        run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
-          sudo chmod +x /bin/terragrunt
-          terragrunt -v
-      - name: validate vpc
-        working-directory: ./tofu/environments/${{ env.environment}}/network/vpc
-        run: |
-          terragrunt init
-          terragrunt validate
-      - name: validate backend
-        working-directory: ./tofu/environments/${{ env.environment}}/services/backend-infra
-        run: |
-          terragrunt init
-          terragrunt validate
-      - name: validate cache
-        working-directory: ./tofu/environments/${{ env.environment}}/data-store/cache
-        run: |
-          terragrunt init
-          terragrunt validate
-      - name: validate database
-        working-directory: ./tofu/environments/${{ env.environment}}/data-store/database
-        run: |
-          terragrunt init
-          terragrunt validate
-      - name: validate frontend
-        working-directory: ./tofu/environments/${{ env.environment}}/services/frontend
-        run: |
-          terragrunt init
-          terragrunt validate
diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
new file mode 100644
index 000000000..516ab5ad0
--- /dev/null
+++ b/.github/workflows/iac_verify.yaml
@@ -0,0 +1,58 @@
+name: verify-iac
+
+on: 
+  push:
+  workflow_call:
+    inputs:
+      tf_version:
+        required: true
+        type: string
+      tg_version:
+        required: true
+        type: string
+      aws_region:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+      module:
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  validate-iac:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{secrets.IAM_ROLE}}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{inputs.aws_region}}
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{inputs.tf_version}}
+          tofu_wrapper: false
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
+      - name: init
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt init
+      - name: validate
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt validate
+      - name: plan
+        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
+        run: terragrunt plan
+

From 6be562a54e1a68a9298ffe580e9b90400d788d71 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:17:36 -0400
Subject: [PATCH 129/298] removed push trigger from resuable jobs

---
 .github/workflows/iac_apply.yaml  | 1 -
 .github/workflows/iac_verify.yaml | 1 -
 2 files changed, 2 deletions(-)

diff --git a/.github/workflows/iac_apply.yaml b/.github/workflows/iac_apply.yaml
index 56a8d0992..b0ca4c967 100644
--- a/.github/workflows/iac_apply.yaml
+++ b/.github/workflows/iac_apply.yaml
@@ -1,7 +1,6 @@
 name: apply-iac
 
 on: 
-  push:
   workflow_call:
     inputs:
       tf_version:
diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
index 516ab5ad0..2f8376b02 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/iac_verify.yaml
@@ -1,7 +1,6 @@
 name: verify-iac
 
 on: 
-  push:
   workflow_call:
     inputs:
       tf_version:

From 33bfea9aabc5889f3c5c5bbdd4076bf67cea3520 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:25:17 -0400
Subject: [PATCH 130/298] corrected env syntax

---
 .github/workflows/iac_main.yaml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 96a3e1e8e..6624a96a3 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -17,11 +17,11 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_verify.yaml
     with:
-      tf_version: env.tf_version
-      tg_version: env.tg_version
-      aws_region: env.aws_region
-      environment: matrix.envrionment
-      module: matrix.module
+      tf_version: $tf_version
+      tg_version: $tg_version
+      aws_region: $env.aws_region
+      environment: ${{ matrix.environment }}
+      module: ${{ matrix.module }}
     secrets: inherit
 
   apply:
@@ -32,10 +32,10 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_apply.yaml
     with:
-      tf_version: env.tf_version
-      tg_version: env.tg_version
-      aws_region: env.aws_region
-      environment: matrix.envrionment
-      module: matrix.module
+      tf_version: $tf_version
+      tg_version: $tg_version
+      aws_region: $env.aws_region
+      environment: ${{ matrix.environment }}
+      module: ${{ matrix.module }}
     secrets: inherit
 

From 253cd714c65a030a0fffcdc138cccd8bba590776 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:26:16 -0400
Subject: [PATCH 131/298] re-corrected env syntax

---
 .github/workflows/iac_main.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 6624a96a3..fbe7a99bb 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -19,7 +19,7 @@ jobs:
     with:
       tf_version: $tf_version
       tg_version: $tg_version
-      aws_region: $env.aws_region
+      aws_region: $aws_region
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit
@@ -34,7 +34,7 @@ jobs:
     with:
       tf_version: $tf_version
       tg_version: $tg_version
-      aws_region: $env.aws_region
+      aws_region: $aws_region
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit

From 79212b9b33e7fe754c239314b7fa2b8d4bae2969 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:32:05 -0400
Subject: [PATCH 132/298] re-corrected env syntax again

---
 .github/workflows/iac_main.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index fbe7a99bb..0c4a8df45 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -17,9 +17,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_verify.yaml
     with:
-      tf_version: $tf_version
-      tg_version: $tg_version
-      aws_region: $aws_region
+      tf_version: '$tf_version'
+      tg_version: '$tg_version'
+      aws_region: '$aws_region'
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit
@@ -32,9 +32,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_apply.yaml
     with:
-      tf_version: $tf_version
-      tg_version: $tg_version
-      aws_region: $aws_region
+      tf_version: '$tf_version'
+      tg_version: '$tg_version'
+      aws_region: '$aws_region'
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit

From d3d16eb4a6c1608d5e8b5d3b25dc5d6945a15c03 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 09:56:21 -0400
Subject: [PATCH 133/298] testing using env in job block

---
 .github/workflows/iac_main.yaml | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 0c4a8df45..821b04a5a 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -1,14 +1,29 @@
 name: IaC Main
 
+concurrency:
+  group: iac
+  cancel-in-progress: true
+
 on:
   push:
 
+permissions:
+  id-token: write
+  contents: read
+
 env:
-  tf_version: '1.6.2'
-  tg_version: '0.55.15'
-  aws_region: us-east-1
+  TF_VERSION: '1.6.2'
+  TG_VERSION: '0.55.15'
+  AWS_REGION: us-east-1
 
 jobs:
+  dummy:
+    runs-on: ubuntu/latest
+    steps:
+      - name: some crap
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{env.AWS_REGION }}
   verify:
     if: github.ref != 'refs/heads/main'
     strategy:
@@ -17,9 +32,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_verify.yaml
     with:
-      tf_version: '$tf_version'
-      tg_version: '$tg_version'
-      aws_region: '$aws_region'
+      tf_version: ${{ env.TF_VERSION }}
+      tg_version: ${{ env.TG_VERSION }}
+      aws_region: ${{ env.AWS_REGION }}
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit
@@ -32,9 +47,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_apply.yaml
     with:
-      tf_version: '$tf_version'
-      tg_version: '$tg_version'
-      aws_region: '$aws_region'
+      tf_version: ${{ env.TF_VERSION }}
+      tg_version: ${{ env.TG_VERSION }}
+      aws_region: ${{ env.AWS_REGION }}
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit

From 53252bd6a4eeb87198c438b9aa92e8bd424140b7 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:01:49 -0400
Subject: [PATCH 134/298] hardcoded workaround for env context issue

---
 .github/workflows/iac_main.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 821b04a5a..31045226a 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -32,9 +32,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_verify.yaml
     with:
-      tf_version: ${{ env.TF_VERSION }}
-      tg_version: ${{ env.TG_VERSION }}
-      aws_region: ${{ env.AWS_REGION }}
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit
@@ -47,9 +47,9 @@ jobs:
         module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_apply.yaml
     with:
-      tf_version: ${{ env.TF_VERSION }}
-      tg_version: ${{ env.TG_VERSION }}
-      aws_region: ${{ env.AWS_REGION }}
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
       module: ${{ matrix.module }}
     secrets: inherit

From fb1bc7d2fb2cb8408c4709aa8d56829d084581a3 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:04:20 -0400
Subject: [PATCH 135/298] missed updating one input in called workflows

---
 .github/workflows/iac_apply.yaml  | 2 +-
 .github/workflows/iac_main.yaml   | 7 -------
 .github/workflows/iac_verify.yaml | 2 +-
 3 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/iac_apply.yaml b/.github/workflows/iac_apply.yaml
index b0ca4c967..b97e2f6fb 100644
--- a/.github/workflows/iac_apply.yaml
+++ b/.github/workflows/iac_apply.yaml
@@ -42,7 +42,7 @@ jobs:
           tofu_wrapper: false
       - name: install terragrunt
         run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
       - name: init
diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 31045226a..d29f24351 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -17,13 +17,6 @@ env:
   AWS_REGION: us-east-1
 
 jobs:
-  dummy:
-    runs-on: ubuntu/latest
-    steps:
-      - name: some crap
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: ${{env.AWS_REGION }}
   verify:
     if: github.ref != 'refs/heads/main'
     strategy:
diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
index 2f8376b02..46207ed34 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/iac_verify.yaml
@@ -42,7 +42,7 @@ jobs:
           tofu_wrapper: false
       - name: install terragrunt
         run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ env.tg_version }}/terragrunt_linux_amd64"
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
       - name: init

From 044588e45395ab63ba72ac76c0ada9a01d127ec6 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:15:23 -0400
Subject: [PATCH 136/298] run all steps on a single runner

---
 .github/workflows/iac_apply.yaml  | 50 +++++++++++++++++++++----------
 .github/workflows/iac_main.yaml   |  4 ---
 .github/workflows/iac_verify.yaml | 43 ++++++++++++++++++--------
 3 files changed, 65 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/iac_apply.yaml b/.github/workflows/iac_apply.yaml
index b97e2f6fb..9927aae6f 100644
--- a/.github/workflows/iac_apply.yaml
+++ b/.github/workflows/iac_apply.yaml
@@ -15,9 +15,6 @@ on:
       environment:
         required: true
         type: string
-      module:
-        required: true
-        type: string
 
 permissions:
   id-token: write
@@ -45,15 +42,38 @@ jobs:
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
-      - name: init
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt init
-      - name: validate
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt validate
-      - name: plan
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt plan -out tfplan
-      - name: apply
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt apply tfplan
+      - name: vpc
+        working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan tfplan
+          terragrunt apply tfplan
+      - name: backend-infra
+        working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+          terragrunt apply tfplan
+      - name: cache
+        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+          terragrunt apply tfplan
+      - name: database
+        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+          terragrunt apply tfplan
+      - name: frontend
+        working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+          terragrunt apply tfplan
diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index d29f24351..a242ea19c 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -22,14 +22,12 @@ jobs:
     strategy:
       matrix:
         environment: [stage, production]
-        module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_verify.yaml
     with:
       tf_version: 1.6.2
       tg_version: 0.55.15
       aws_region: us-east-1
       environment: ${{ matrix.environment }}
-      module: ${{ matrix.module }}
     secrets: inherit
 
   apply:
@@ -37,13 +35,11 @@ jobs:
     strategy:
       matrix:
         environment: [stage]
-        module: [terraform/tfbackend, network/vpc, services/backend-infra, data-store/cache, data-store/database, services/frontend]
     uses: ./.github/workflows/iac_apply.yaml
     with:
       tf_version: 1.6.2
       tg_version: 0.55.15
       aws_region: us-east-1
       environment: ${{ matrix.environment }}
-      module: ${{ matrix.module }}
     secrets: inherit
 
diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
index 46207ed34..85dd1f196 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/iac_verify.yaml
@@ -15,9 +15,6 @@ on:
       environment:
         required: true
         type: string
-      module:
-        required: true
-        type: string
 
 permissions:
   id-token: write
@@ -45,13 +42,33 @@ jobs:
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
-      - name: init
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt init
-      - name: validate
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt validate
-      - name: plan
-        working-directory: ./tofu/environments/${{inputs.environment}}/${{inputs.module}}
-        run: terragrunt plan
-
+      - name: vpc
+        working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+      - name: backend-infra
+        working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+      - name: cache
+        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+      - name: database
+        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan
+      - name: frontend
+        working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
+        run: |
+          terragrunt init
+          terragrunt validate
+          terragrunt plan

From 49a63db01a3ba560a437019943835075daf87a39 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:26:34 -0400
Subject: [PATCH 137/298] add max parallel constraints to matrix to avoid
 concurrency issues

---
 .github/workflows/iac_main.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index a242ea19c..3a81b0b62 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -20,6 +20,7 @@ jobs:
   verify:
     if: github.ref != 'refs/heads/main'
     strategy:
+      max-parallel: 1
       matrix:
         environment: [stage, production]
     uses: ./.github/workflows/iac_verify.yaml
@@ -33,6 +34,7 @@ jobs:
   apply:
     if: github.ref == 'refs/heads/main'
     strategy:
+      max-parallel: 1
       matrix:
         environment: [stage]
     uses: ./.github/workflows/iac_apply.yaml

From eb3f2f87bc4c6fa00b8f0b090f1cc9ff4cc86976 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:33:17 -0400
Subject: [PATCH 138/298] corrected backedn-infra dependency issue

---
 .../production/services/backend-infra/terragrunt.hcl            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index 4e84c4c63..747712f1e 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []

From e4e7a39fdb62ea7f72d1de2cd5370fe4fa738f6b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:42:53 -0400
Subject: [PATCH 139/298] dependency issue in backend-infra

---
 .../production/services/backend-infra/terragrunt.hcl             | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index 747712f1e..b67cfe467 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -19,6 +19,7 @@ dependency "vpc" {
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []
+    private_subnets                 = []
     ecr_endpoint_security_group     = "mock_sg"
     secrets_endpoint_security_group = "mock_sg"
     logs_endpoint_security_group    = "mock_sg"

From ac950700c1f3d5d10d41fba979c53e792581f915 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:52:07 -0400
Subject: [PATCH 140/298] add continue-on-error to actions validation job

---
 .github/workflows/iac_verify.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
index 85dd1f196..b7f7de9a9 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/iac_verify.yaml
@@ -44,30 +44,35 @@ jobs:
           terragrunt -v
       - name: vpc
         working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
+        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate
           terragrunt plan
       - name: backend-infra
         working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
+        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate
           terragrunt plan
       - name: cache
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
+        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate
           terragrunt plan
       - name: database
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
+        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate
           terragrunt plan
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
+        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate

From 2868e71699f8cc77d69e909c0ea2298b51a66e58 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 11:39:29 -0400
Subject: [PATCH 141/298] added init support for dependency mock outputs

---
 .github/workflows/iac_verify.yaml                           | 1 -
 .../environments/production/data-store/cache/terragrunt.hcl | 4 ++--
 .../production/data-store/database/terragrunt.hcl           | 6 +++---
 .../production/services/backend-infra/terragrunt.hcl        | 2 +-
 .../production/services/frontend/terragrunt.hcl             | 2 +-
 5 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/iac_verify.yaml
index b7f7de9a9..cfb17d84e 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/iac_verify.yaml
@@ -72,7 +72,6 @@ jobs:
           terragrunt plan
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
-        continue-on-error: true
         run: |
           terragrunt init
           terragrunt validate
diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index a5221540a..88846d68a 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
     subnets                = []
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index 082ef325d..35355f36d 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
     subnets                = []
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "cache" {
   config_path = "../cache"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
@@ -35,7 +35,7 @@ dependency "cache" {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }
diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index b67cfe467..5ed033407 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index fc2a1f092..71af8f1bb 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"

From bbd651ab53bf620aef5137ca7c9f43e339608f4b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 12:23:25 -0400
Subject: [PATCH 142/298] corrected production module path

---
 tofu/environments/production/services/frontend/terragrunt.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index 71af8f1bb..12967aacb 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -13,7 +13,7 @@ terraform {
 }
 
 dependency "backend" {
-  config_path = "../../services/backend"
+  config_path = "../../services/backend-infra"
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {

From d8cd4891deb299295042e36cf71e04ef5334bf81 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 12:40:46 -0400
Subject: [PATCH 143/298] further dependency correction

---
 .../production/data-store/cache/terragrunt.hcl             | 2 +-
 .../production/data-store/database/terragrunt.hcl          | 7 +++----
 .../production/services/frontend/terragrunt.hcl            | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index 88846d68a..d843fc7aa 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -18,7 +18,7 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
-    subnets                = []
+    database_subnets       = []
     source_security_groups = []
   }
 }
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index 35355f36d..fc1f652ce 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -17,9 +17,8 @@ dependency "vpc" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
-    vpc_id                 = "mock_vpc_id"
-    subnets                = []
-    source_security_groups = []
+    vpc_id                = "mock_vpc_id"
+    database_subnet_group = "mock_subnet_group"
   }
 }
 
@@ -33,7 +32,7 @@ dependency "cache" {
 }
 
 dependency "backend" {
-  config_path = "../../services/backend"
+  config_path = "../../services/backend-infra"
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index 12967aacb..84087e74b 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"

From b022e4f800ca95be5ae6bbad05515fc565894383 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 12:52:58 -0400
Subject: [PATCH 144/298] further dependency resolution

---
 tofu/environments/production/data-store/cache/terragrunt.hcl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index d843fc7aa..59d3a0225 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -18,8 +18,8 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
-    database_subnets       = []
-    source_security_groups = []
+    database_subnets       = ["subnet-mocksubnet1234567"]
+    source_security_groups = ["sg-mocksecuritygroup"]
   }
 }
 

From 855fb42aa86cc65a4df136fabe983d1ca2971846 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 12:58:28 -0400
Subject: [PATCH 145/298] further dependency resolution

---
 tofu/environments/production/data-store/cache/terragrunt.hcl  | 2 +-
 .../production/data-store/database/terragrunt.hcl             | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index 59d3a0225..831bd4feb 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
     database_subnets       = ["subnet-mocksubnet1234567"]
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index fc1f652ce..6a8a0a46a 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                = "mock_vpc_id"
     database_subnet_group = "mock_subnet_group"
@@ -34,7 +34,7 @@ dependency "cache" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }

From 6af5ea431360c84135f13582800a70af34124f27 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 13:04:34 -0400
Subject: [PATCH 146/298] further dependency resolution

---
 tofu/environments/production/data-store/cache/terragrunt.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index 831bd4feb..086987807 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }

From 94640e01c5cad4ad5f86eb7ff8e0e5d74aede28b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 13:52:05 -0400
Subject: [PATCH 147/298] narrowed path triggers for iac workflows

---
 .github/workflows/iac_main.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 3a81b0b62..75bf42bb6 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -6,6 +6,10 @@ concurrency:
 
 on:
   push:
+    paths:
+      - tofu/environments/**
+      - tofu/modules/**
+      - .github/workflows/*
 
 permissions:
   id-token: write

From 55c9154d730922054abff5848938b90d617506c4 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 14:20:37 -0400
Subject: [PATCH 148/298] adjusting job conditional logic

---
 .github/workflows/iac_main.yaml | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
index 75bf42bb6..d931e22b8 100644
--- a/.github/workflows/iac_main.yaml
+++ b/.github/workflows/iac_main.yaml
@@ -6,10 +6,6 @@ concurrency:
 
 on:
   push:
-    paths:
-      - tofu/environments/**
-      - tofu/modules/**
-      - .github/workflows/*
 
 permissions:
   id-token: write
@@ -21,8 +17,23 @@ env:
   AWS_REGION: us-east-1
 
 jobs:
+  iac-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      run-iac: ${{ steps.check.outputs.run-iac }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dorny/paths-filter@v3
+        id: check
+        with:
+          filters: |
+            run-iac:
+              - 'tofu/**'
+              - '.github/workflows/**'
+
   verify:
-    if: github.ref != 'refs/heads/main'
+    needs: iac-changes
+    if: github.ref != 'refs/heads/main' && needs.iac-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -36,7 +47,8 @@ jobs:
     secrets: inherit
 
   apply:
-    if: github.ref == 'refs/heads/main'
+    needs: iac-changes
+    if: github.ref == 'refs/heads/main' && needs.iac-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:

From 4e502ace5d74df3f4ae4dfdac616fc36e0497792 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 08:48:13 -0400
Subject: [PATCH 149/298] added backend-service verify

---
 .../{iac_apply.yaml => apply-iac.yaml}        |  7 ++
 .github/workflows/deploy-backend.yaml         | 87 +++++++++++++++++
 .github/workflows/deploy-frontend.yaml        |  0
 .github/workflows/iac_main.yaml               | 63 -------------
 .github/workflows/primary.yaml                | 94 +++++++++++++++++++
 .github/workflows/verify-backend.yaml         | 87 +++++++++++++++++
 .../{iac_verify.yaml => verify-iac.yaml}      |  7 ++
 7 files changed, 282 insertions(+), 63 deletions(-)
 rename .github/workflows/{iac_apply.yaml => apply-iac.yaml} (99%)
 create mode 100644 .github/workflows/deploy-backend.yaml
 create mode 100644 .github/workflows/deploy-frontend.yaml
 delete mode 100644 .github/workflows/iac_main.yaml
 create mode 100644 .github/workflows/primary.yaml
 create mode 100644 .github/workflows/verify-backend.yaml
 rename .github/workflows/{iac_verify.yaml => verify-iac.yaml} (99%)

diff --git a/.github/workflows/iac_apply.yaml b/.github/workflows/apply-iac.yaml
similarity index 99%
rename from .github/workflows/iac_apply.yaml
rename to .github/workflows/apply-iac.yaml
index 9927aae6f..f531f3c02 100644
--- a/.github/workflows/iac_apply.yaml
+++ b/.github/workflows/apply-iac.yaml
@@ -32,16 +32,19 @@ jobs:
           role-to-assume: ${{secrets.IAM_ROLE}}
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{inputs.aws_region}}
+
       - name: install opentofu
         uses: opentofu/setup-opentofu@v1
         with: 
           tofu_version: ${{inputs.tf_version}}
           tofu_wrapper: false
+
       - name: install terragrunt
         run: |
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
+
       - name: vpc
         working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
         run: |
@@ -49,6 +52,7 @@ jobs:
           terragrunt validate
           terragrunt plan tfplan
           terragrunt apply tfplan
+
       - name: backend-infra
         working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
         run: |
@@ -56,6 +60,7 @@ jobs:
           terragrunt validate
           terragrunt plan
           terragrunt apply tfplan
+
       - name: cache
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
         run: |
@@ -63,6 +68,7 @@ jobs:
           terragrunt validate
           terragrunt plan
           terragrunt apply tfplan
+
       - name: database
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
         run: |
@@ -70,6 +76,7 @@ jobs:
           terragrunt validate
           terragrunt plan
           terragrunt apply tfplan
+          
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
         run: |
diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
new file mode 100644
index 000000000..38e93d2dc
--- /dev/null
+++ b/.github/workflows/deploy-backend.yaml
@@ -0,0 +1,87 @@
+name: Deploy Backend
+
+# Stop any pending jobs
+concurrency:
+  group: backend
+  cancel-in-progress: true
+
+on:
+  workflow_call:
+    inputs:
+      tf_version:
+        required: true
+        type: string
+      tg_version:
+        required: true
+        type: string
+      aws_region:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+
+env:
+  AWS_REGION: us-east-1
+  ECR_REPOSITORY: appointments
+  ECS_SERVICE: appointments-service
+  ECS_CLUSTER: appointments
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy-backend:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{secrets.IAM_ROLE}}
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{inputs.aws_region}}
+
+    - name: install opentofu
+      uses: opentofu/setup-opentofu@v1
+      with: 
+        tofu_version: ${{inputs.tf_version}}
+        tofu_wrapper: false
+
+    - name: install terragrunt
+      run: |
+        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
+        sudo chmod +x /bin/terragrunt
+        terragrunt -v
+
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+      with:
+        mask-password: 'true'
+
+    - name: Build, tag, and push backend image to Amazon ECR
+      id: build-backend
+      env:
+        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        IMAGE_TAG: backend-${{ github.sha }}
+      run: |
+        # Build a docker container and
+        # push it to ECR so that it can
+        # be deployed to ECS.
+        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+    - name: backend-service
+      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
+      run: |
+        terragrunt init
+        terragrunt validate
+        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}'
+        terragrunt apply tfplan
+
diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
new file mode 100644
index 000000000..e69de29bb
diff --git a/.github/workflows/iac_main.yaml b/.github/workflows/iac_main.yaml
deleted file mode 100644
index d931e22b8..000000000
--- a/.github/workflows/iac_main.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
-name: IaC Main
-
-concurrency:
-  group: iac
-  cancel-in-progress: true
-
-on:
-  push:
-
-permissions:
-  id-token: write
-  contents: read
-
-env:
-  TF_VERSION: '1.6.2'
-  TG_VERSION: '0.55.15'
-  AWS_REGION: us-east-1
-
-jobs:
-  iac-changes:
-    runs-on: ubuntu-latest
-    outputs:
-      run-iac: ${{ steps.check.outputs.run-iac }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@v3
-        id: check
-        with:
-          filters: |
-            run-iac:
-              - 'tofu/**'
-              - '.github/workflows/**'
-
-  verify:
-    needs: iac-changes
-    if: github.ref != 'refs/heads/main' && needs.iac-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage, production]
-    uses: ./.github/workflows/iac_verify.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  apply:
-    needs: iac-changes
-    if: github.ref == 'refs/heads/main' && needs.iac-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage]
-    uses: ./.github/workflows/iac_apply.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
new file mode 100644
index 000000000..9e02ecbdf
--- /dev/null
+++ b/.github/workflows/primary.yaml
@@ -0,0 +1,94 @@
+name: Primary Workflow
+
+concurrency:
+  group: iac
+  cancel-in-progress: true
+
+on:
+  push:
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  TF_VERSION: '1.6.2'
+  TG_VERSION: '0.55.15'
+  AWS_REGION: us-east-1
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      run-iac: ${{ steps.check.outputs.run-iac }}
+      run-backend: ${{ steps.check.outputs.run-backend }}
+      run-frontend: ${{ steps.check.outputs.run-frontend }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dorny/paths-filter@v3
+        id: check
+        with:
+          filters: |
+            run-iac:
+              - 'tofu/**'
+              - '.github/workflows/**'
+            run-backend:
+              - 'backend/**'
+            run-frontend:
+              - 'frontend/**'
+
+  verify-iac:
+    needs: detect-changes
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    strategy:
+      max-parallel: 1
+      matrix:
+        environment: [stage, production]
+    uses: ./.github/workflows/verify-iac.yaml
+    with:
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
+      environment: ${{ matrix.environment }}
+    secrets: inherit
+
+  apply-iac:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    strategy:
+      max-parallel: 1
+      matrix:
+        environment: [stage]
+    uses: ./.github/workflows/apply-iac.yaml
+    with:
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
+      environment: ${{ matrix.environment }}
+    secrets: inherit
+
+  ci-tests:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
+    uses: ./.github/workflows/ci-tests.yaml
+
+  deploy-backend:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
+    strategy:
+      max-parallel: 1
+      matrix:
+        environment: [stage]
+    uses: ./.github/workflows/deploy-backend.yaml
+    with:
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
+      environment: ${{ matrix.environment }}
+    secrets: inherit
+
+  deploy-frontend:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    uses: ./.github/workflows/deploy-frontend.yaml
\ No newline at end of file
diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
new file mode 100644
index 000000000..00e8a6cf3
--- /dev/null
+++ b/.github/workflows/verify-backend.yaml
@@ -0,0 +1,87 @@
+name: Deploy Backend
+
+# Stop any pending jobs
+concurrency:
+  group: backend
+  cancel-in-progress: true
+
+on:
+  workflow_call:
+    inputs:
+      tf_version:
+        required: true
+        type: string
+      tg_version:
+        required: true
+        type: string
+      aws_region:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+
+env:
+  AWS_REGION: us-east-1
+  ECR_REPOSITORY: appointments
+  ECS_SERVICE: appointments-service
+  ECS_CLUSTER: appointments
+  IMAGE: dummyimagename
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy-backend:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{secrets.IAM_ROLE}}
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{inputs.aws_region}}
+
+    - name: install opentofu
+      uses: opentofu/setup-opentofu@v1
+      with: 
+        tofu_version: ${{inputs.tf_version}}
+        tofu_wrapper: false
+
+    - name: install terragrunt
+      run: |
+        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
+        sudo chmod +x /bin/terragrunt
+        terragrunt -v
+
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+      with:
+        mask-password: 'true'
+
+    - name: Build, tag, and push backend image to Amazon ECR
+      id: build-backend
+      env:
+        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        IMAGE_TAG: backend-${{ github.sha }}
+      run: |
+        # Build a docker container and
+        # push it to ECR so that it can
+        # be deployed to ECS.
+        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+    - name: backend-service
+      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
+      run: |
+        terragrunt init
+        terragrunt validate
+        terragrunt plan -var 'image=$IMAGE'
+
diff --git a/.github/workflows/iac_verify.yaml b/.github/workflows/verify-iac.yaml
similarity index 99%
rename from .github/workflows/iac_verify.yaml
rename to .github/workflows/verify-iac.yaml
index cfb17d84e..fe1767803 100644
--- a/.github/workflows/iac_verify.yaml
+++ b/.github/workflows/verify-iac.yaml
@@ -32,16 +32,19 @@ jobs:
           role-to-assume: ${{secrets.IAM_ROLE}}
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{inputs.aws_region}}
+
       - name: install opentofu
         uses: opentofu/setup-opentofu@v1
         with: 
           tofu_version: ${{inputs.tf_version}}
           tofu_wrapper: false
+
       - name: install terragrunt
         run: |
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
+
       - name: vpc
         working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
         continue-on-error: true
@@ -49,6 +52,7 @@ jobs:
           terragrunt init
           terragrunt validate
           terragrunt plan
+
       - name: backend-infra
         working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
         continue-on-error: true
@@ -56,6 +60,7 @@ jobs:
           terragrunt init
           terragrunt validate
           terragrunt plan
+
       - name: cache
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
         continue-on-error: true
@@ -63,6 +68,7 @@ jobs:
           terragrunt init
           terragrunt validate
           terragrunt plan
+
       - name: database
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
         continue-on-error: true
@@ -70,6 +76,7 @@ jobs:
           terragrunt init
           terragrunt validate
           terragrunt plan
+          
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
         run: |

From fe128c3838181d0a92b54cfd07a3620ae2cdaa06 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 08:50:58 -0400
Subject: [PATCH 150/298] testing primary action

---
 .github/workflows/primary.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 9e02ecbdf..038e8b1ed 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -88,7 +88,3 @@ jobs:
       environment: ${{ matrix.environment }}
     secrets: inherit
 
-  deploy-frontend:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
-    uses: ./.github/workflows/deploy-frontend.yaml
\ No newline at end of file

From c13e3bf08def96f2682ddc40d57f4617ae2e1b62 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 08:57:52 -0400
Subject: [PATCH 151/298] testing primary action

---
 .github/workflows/primary.yaml        | 15 +++++++++++++++
 .github/workflows/verify-backend.yaml | 15 +--------------
 2 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 038e8b1ed..12c8e9a3e 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -73,6 +73,21 @@ jobs:
     if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
     uses: ./.github/workflows/ci-tests.yaml
 
+  verify-backend:
+    needs: detect-changes
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
+    strategy:
+      max-parallel: 1
+      matrix:
+        environment: [stage, production]
+    uses: ./.github/workflows/verify-backend.yaml
+    with:
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
+      environment: ${{ matrix.environment }}
+    secrets: inherit
+
   deploy-backend:
     needs: detect-changes
     if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
index 00e8a6cf3..ebbb8b3a7 100644
--- a/.github/workflows/verify-backend.yaml
+++ b/.github/workflows/verify-backend.yaml
@@ -33,7 +33,7 @@ permissions:
   contents: read
 
 jobs:
-  deploy-backend:
+  validate-backend:
     runs-on: ubuntu-latest
 
     steps:
@@ -65,19 +65,6 @@ jobs:
       with:
         mask-password: 'true'
 
-    - name: Build, tag, and push backend image to Amazon ECR
-      id: build-backend
-      env:
-        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        IMAGE_TAG: backend-${{ github.sha }}
-      run: |
-        # Build a docker container and
-        # push it to ECR so that it can
-        # be deployed to ECS.
-        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
-        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
-
     - name: backend-service
       working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
       run: |

From 8a95a1319e7b2075294f290bd8dc14da54e2e1e1 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 09:08:28 -0400
Subject: [PATCH 152/298] fixed verify-backend trigger

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 12c8e9a3e..7950afe59 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -75,7 +75,7 @@ jobs:
 
   verify-backend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:

From 415451a897c2dd6206f84881bfa7179cbe33c78e Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 09:16:41 -0400
Subject: [PATCH 153/298] added production backend-service & fixed image name
 in backend-service

---
 .github/workflows/verify-backend.yaml         |  2 +-
 .../services/backend-service/terragrunt.hcl   | 54 +++++++++++++++++++
 2 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 tofu/environments/production/services/backend-service/terragrunt.hcl

diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
index ebbb8b3a7..e8f28488d 100644
--- a/.github/workflows/verify-backend.yaml
+++ b/.github/workflows/verify-backend.yaml
@@ -70,5 +70,5 @@ jobs:
       run: |
         terragrunt init
         terragrunt validate
-        terragrunt plan -var 'image=$IMAGE'
+        terragrunt plan -var 'image=${{env.IMAGE}}'
 
diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
new file mode 100644
index 000000000..76d583483
--- /dev/null
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -0,0 +1,54 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "env" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/backend-service"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    private_subnets = ["subnet-mocksubnet1234567"]
+  }
+}
+
+dependency "backend-infra" {
+  config_path = "../backend-infra"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    target_group_key = "MOCK_KEY"
+    log_group        = "MOCK_LOGS"
+    ecs_cluster      = "MOCK_CLUSTER_ID"
+    security_group   = "MOCK_SG"
+  }
+}
+
+locals {
+  environment      = include.env.locals.environment
+  name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
+  region           = include.env.locals.region
+  project_tags     = include.root.locals.tags
+  environment_tags = include.env.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  name_prefix      = local.name_prefix
+  region           = local.region
+  subnets          = dependency.vpc.outputs.private_subnets
+  log_group        = dependency.backend-infra.outputs.log_group
+  target_group_arn = dependency.backend-infra.outputs.target_group_arn
+  security_group   = dependency.backend-infra.outputs.security_group_id
+  ecs_cluster      = dependency.backend-infra.outputs.cluster_id
+  tags             = local.tags
+}
\ No newline at end of file

From 2b6ae0a632470829e12f29be05d70570dfc07072 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 09:24:26 -0400
Subject: [PATCH 154/298] fixed backend-service dependency

---
 .../production/services/backend-service/terragrunt.hcl        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index 76d583483..b0016589f 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -15,9 +15,9 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
   mock_outputs = {
-    private_subnets = ["subnet-mocksubnet1234567"]
+    private_subnets = ["subnet-mocksubnet1234567", "plan"]
   }
 }
 

From e471efc99676438e24f59c3774da8d593ecb16f2 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 09:27:34 -0400
Subject: [PATCH 155/298] added frontend deployment

---
 .github/workflows/deploy-frontend.yaml | 40 ++++++++++++++++++++++++++
 .github/workflows/primary.yaml         |  8 ++++++
 2 files changed, 48 insertions(+)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index e69de29bb..6dcfbac7a 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -0,0 +1,40 @@
+name: Deploy Frontend
+
+# Stop any pending jobs
+concurrency:
+  group: frontend
+  cancel-in-progress: true
+
+on:
+  workflow_call:
+    inputs:
+      aws_region:
+        required: true
+        type: string
+      bucket:
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy-backend:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{secrets.IAM_ROLE}}
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{inputs.aws_region}}
+
+    - name: Deploy Frontend
+      run: aws s3 sync frontend s3://${{inputs.bucket}}
+
+
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 7950afe59..c20006de6 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -103,3 +103,11 @@ jobs:
       environment: ${{ matrix.environment }}
     secrets: inherit
 
+  deploy-frontend:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    uses: ./.github/workflows/deploy-frontend.yaml
+    with:
+      aws_region: us-east-1
+      bucket: tb-appointment-stage-frontend
+

From 688637f46c16eb3d8986ed6a985457b64756a809 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 09:30:13 -0400
Subject: [PATCH 156/298] backend-service dependency

---
 .../production/services/backend-service/terragrunt.hcl      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index b0016589f..2d17da164 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -15,16 +15,16 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
-    private_subnets = ["subnet-mocksubnet1234567", "plan"]
+    private_subnets = ["subnet-mocksubnet1234567"]
   }
 }
 
 dependency "backend-infra" {
   config_path = "../backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     target_group_key = "MOCK_KEY"
     log_group        = "MOCK_LOGS"

From f4001894fa12d7faedb79d21c74c12abc2730d60 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:07:34 -0400
Subject: [PATCH 157/298] more backend-service dependencies

---
 .../production/services/backend-service/terragrunt.hcl      | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index 2d17da164..a726b80bf 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -26,10 +26,10 @@ dependency "backend-infra" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
-    target_group_key = "MOCK_KEY"
+    target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
     log_group        = "MOCK_LOGS"
-    ecs_cluster      = "MOCK_CLUSTER_ID"
-    security_group   = "MOCK_SG"
+    cluster_id      = "MOCK_CLUSTER_ID"
+    security_group_id   = "MOCK_SG"
   }
 }
 

From 0eaf6191a5891983bdef0a96dace496380d50e1f Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:15:27 -0400
Subject: [PATCH 158/298] frontend deployment test

---
 .github/workflows/primary.yaml                            | 2 +-
 .../production/services/backend-service/terragrunt.hcl    | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index c20006de6..b67d6e2a1 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -105,7 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1
diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index a726b80bf..8387eec5e 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -26,10 +26,10 @@ dependency "backend-infra" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
-    target_group_arn = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
-    log_group        = "MOCK_LOGS"
-    cluster_id      = "MOCK_CLUSTER_ID"
-    security_group_id   = "MOCK_SG"
+    target_group_arn  = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
+    log_group         = "MOCK_LOGS"
+    cluster_id        = "MOCK_CLUSTER_ID"
+    security_group_id = "MOCK_SG"
   }
 }
 

From 670102f2e1bd302417be6e6252078067309a66ea Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:20:29 -0400
Subject: [PATCH 159/298] clean up actions

---
 .github/workflows/deploy-backend.yaml  | 5 +----
 .github/workflows/deploy-frontend.yaml | 4 +---
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
index 38e93d2dc..6382f5de6 100644
--- a/.github/workflows/deploy-backend.yaml
+++ b/.github/workflows/deploy-backend.yaml
@@ -22,10 +22,7 @@ on:
         type: string
 
 env:
-  AWS_REGION: us-east-1
-  ECR_REPOSITORY: appointments
-  ECS_SERVICE: appointments-service
-  ECS_CLUSTER: appointments
+  ECR_REPOSITORY: appointment
 
 permissions:
   id-token: write
diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 6dcfbac7a..0e4bd6949 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -20,7 +20,7 @@ permissions:
   contents: read
 
 jobs:
-  deploy-backend:
+  deploy-frontend:
     runs-on: ubuntu-latest
 
     steps:
@@ -36,5 +36,3 @@ jobs:
 
     - name: Deploy Frontend
       run: aws s3 sync frontend s3://${{inputs.bucket}}
-
-

From bcf7556afe7aed023c8bce3aa2f4dc4b51b83fe4 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:22:28 -0400
Subject: [PATCH 160/298] pass secrets to frontend workflow

---
 .github/workflows/primary.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index b67d6e2a1..6909be041 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -110,4 +110,5 @@ jobs:
     with:
       aws_region: us-east-1
       bucket: tb-appointment-stage-frontend
+    secrets: inherit
 

From 31128a57f0867daabaf3276995f06ff00b312f58 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:28:46 -0400
Subject: [PATCH 161/298] frontend bucket name fix

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 6909be041..1bc6530c9 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -109,6 +109,6 @@ jobs:
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1
-      bucket: tb-appointment-stage-frontend
+      bucket: tb-apmt-stage-frontend
     secrets: inherit
 

From b73919c3ef5b0aeb876042a646742430afeb809e Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 10:38:00 -0400
Subject: [PATCH 162/298] deploy frontend from main branch only

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 1bc6530c9..30867865f 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -105,7 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From 39cc54f91a88ff28fe2291852b1929e58335f991 Mon Sep 17 00:00:00 2001
From: Melissa Autumn <melissa@thunderbird.net>
Date: Mon, 1 Apr 2024 08:14:06 -0700
Subject: [PATCH 163/298] Build the frontend and deploy the build artifacts.

---
 .github/workflows/deploy-frontend.yaml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 0e4bd6949..f3c3a0507 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -27,6 +27,17 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v4
 
+    - name: Setup NPM
+      uses: actions/setup-node@v4
+      with:
+        node-version: '18.x'
+
+    - name: Install dependencies
+      run: cd frontend && npm install
+
+    - name: Build project
+      run: cd frontend && npm run build
+
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
@@ -35,4 +46,4 @@ jobs:
         aws-region: ${{inputs.aws_region}}
 
     - name: Deploy Frontend
-      run: aws s3 sync frontend s3://${{inputs.bucket}}
+      run: aws s3 sync frontend/dist s3://${{inputs.bucket}}

From 597b4a0f6503e71e7ab1c30177ce8374b455258f Mon Sep 17 00:00:00 2001
From: Melissa Autumn <melissa@thunderbird.net>
Date: Mon, 1 Apr 2024 08:42:30 -0700
Subject: [PATCH 164/298] IC- Switch frontend build to yarn

---
 .github/workflows/deploy-frontend.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index f3c3a0507..d719274c9 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -33,10 +33,10 @@ jobs:
         node-version: '18.x'
 
     - name: Install dependencies
-      run: cd frontend && npm install
+      run: cd frontend && yarn install
 
     - name: Build project
-      run: cd frontend && npm run build
+      run: cd frontend && yarn build
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4

From b061c9dbff131b6a69363218333b65211d74a156 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 11:23:17 -0400
Subject: [PATCH 165/298] test frontend build

---
 .github/workflows/deploy-frontend.yaml | 2 +-
 .github/workflows/primary.yaml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index d719274c9..97e7c77dd 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -46,4 +46,4 @@ jobs:
         aws-region: ${{inputs.aws_region}}
 
     - name: Deploy Frontend
-      run: aws s3 sync frontend/dist s3://${{inputs.bucket}}
+      run: aws s3 sync frontend s3://${{inputs.bucket}} --delete
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 30867865f..1bc6530c9 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -105,7 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From f0c05818fcc9154eefe8c928fdb9ac4de2634d37 Mon Sep 17 00:00:00 2001
From: Melissa Autumn <melissa@thunderbird.net>
Date: Mon, 1 Apr 2024 08:48:28 -0700
Subject: [PATCH 166/298] IC- Deploy dist

---
 .github/workflows/deploy-frontend.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 97e7c77dd..83bc75f1d 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -46,4 +46,4 @@ jobs:
         aws-region: ${{inputs.aws_region}}
 
     - name: Deploy Frontend
-      run: aws s3 sync frontend s3://${{inputs.bucket}} --delete
+      run: aws s3 sync frontend/dist s3://${{inputs.bucket}} --delete

From 5185e1203318c8fda2d66c8e9e1b651a3bbde9fe Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 15:12:32 -0400
Subject: [PATCH 167/298] updating cloudfront tls config

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 1bc6530c9..30867865f 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -105,7 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From 0036e1bcfdd0d9ff5c8a1457a6c6c39a044917d5 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 13:37:28 -0400
Subject: [PATCH 168/298] backend troubleshooting

---
 tofu/environments/production/services/frontend/terragrunt.hcl | 2 +-
 tofu/modules/services/backend-infra/main.tf                   | 2 +-
 tofu/modules/services/frontend/main.tf                        | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index 84087e74b..aecb69f5e 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -32,7 +32,7 @@ locals {
   tags             = "${merge(local.project_tags, local.environment_tags)}"
 
 
-  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4"
+  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
 }
 
 inputs = {
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 5a46570e5..01c5146c3 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -148,7 +148,7 @@ module "backend_alb" {
         matcher             = "200"
         path                = "/"
         port                = "traffic-port"
-        protocol            = "HTTP"
+        protocol            = "HTTPS"
         timeout             = 5
         unhealthy_threshold = 2
       }
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index 347254dcb..e01df4c85 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -96,6 +96,8 @@ resource "aws_cloudfront_distribution" "appointment" {
     include_cookies = true
   }
 
+  aliases = ["${var.environment}.appointment.day"]
+
   origin {
     origin_id                = "${var.name_prefix}-frontend"
     domain_name              = aws_s3_bucket.frontend.bucket_domain_name

From db4470f953da1fb3f02d6f6ef579edb62fcce73c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 13:41:15 -0400
Subject: [PATCH 169/298] backend troubleshooting

---
 .github/workflows/primary.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 30867865f..74804ea57 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -90,7 +90,7 @@ jobs:
 
   deploy-backend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -105,7 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From 4925267cf98dfa8053d710bb8b6808fef7aebc20 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 13:48:32 -0400
Subject: [PATCH 170/298] backend troubleshooting

---
 .github/workflows/primary.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 74804ea57..d37b8fd46 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -90,7 +90,6 @@ jobs:
 
   deploy-backend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -105,7 +104,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From 89636d153205afed53be3958746e83ad385d7f6d Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 13:51:26 -0400
Subject: [PATCH 171/298] backend troubleshooting

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index d37b8fd46..85443d86d 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -75,7 +75,7 @@ jobs:
 
   verify-backend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:

From 136f72fea1036032eef0197137aa9c151f266006 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 14:00:20 -0400
Subject: [PATCH 172/298] backend troubleshooting

---
 .github/workflows/deploy-backend.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
index 6382f5de6..a2e3f8dce 100644
--- a/.github/workflows/deploy-backend.yaml
+++ b/.github/workflows/deploy-backend.yaml
@@ -79,6 +79,6 @@ jobs:
       run: |
         terragrunt init
         terragrunt validate
-        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}'
+        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
         terragrunt apply tfplan
 

From 2f38a623f96d87ea20597953d72faed97a08e35d Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 15:51:07 -0400
Subject: [PATCH 173/298] backend troubleshooting

---
 tofu/modules/services/backend-infra/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 01c5146c3..5a46570e5 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -148,7 +148,7 @@ module "backend_alb" {
         matcher             = "200"
         path                = "/"
         port                = "traffic-port"
-        protocol            = "HTTPS"
+        protocol            = "HTTP"
         timeout             = 5
         unhealthy_threshold = 2
       }

From c9fed46dba0db6f55f15f79cf5be5b847de52bef Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Fri, 5 Apr 2024 09:10:45 -0400
Subject: [PATCH 174/298] backend troubleshooting

---
 tofu/modules/services/backend-infra/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 5a46570e5..39fa3b705 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -134,7 +134,7 @@ module "backend_alb" {
 
   target_groups = {
     "${local.target_group_key}" = {
-      name                              = "${var.name_prefix}-backend"
+      name                              = "${var.name_prefix}-backend-test"
       protocol                          = "HTTP"
       port                              = 5000
       target_type                       = "ip"

From 97256934fc6f145badceefabcd3c648405fa3c18 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 7 Apr 2024 09:46:44 -0400
Subject: [PATCH 175/298] backend troubleshooting

---
 tofu/modules/services/backend-infra/main.tf | 2 +-
 tofu/modules/services/frontend/main.tf      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 39fa3b705..5a46570e5 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -134,7 +134,7 @@ module "backend_alb" {
 
   target_groups = {
     "${local.target_group_key}" = {
-      name                              = "${var.name_prefix}-backend-test"
+      name                              = "${var.name_prefix}-backend"
       protocol                          = "HTTP"
       port                              = 5000
       target_type                       = "ip"
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index e01df4c85..6acc6ba4f 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -108,7 +108,7 @@ resource "aws_cloudfront_distribution" "appointment" {
     origin_id   = var.backend_id
     domain_name = var.backend_dns_name
     custom_origin_config {
-      http_port              = 80
+      http_port              = 5000
       https_port             = 5000
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1.2"]

From 0bd22ea5f9bf37685a76f06354bf18cadcd80428 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 10 Apr 2024 13:40:46 -0400
Subject: [PATCH 176/298] add api rewriting and x-allow secret generation

---
 .../services/backend-infra/.terraform.lock.hcl  | 17 +++++++++++++++++
 tofu/modules/services/frontend/main.tf          |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
index f68202b57..840c8c797 100644
--- a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
@@ -36,3 +36,20 @@ provider "registry.opentofu.org/hashicorp/random" {
     "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
   ]
 }
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version = "3.6.0"
+  hashes = [
+    "h1:6QMZ6JACl+V2t8daN5GTlw22EtG7nhc3BbkbJDw2a5M=",
+    "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75",
+    "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3",
+    "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23",
+    "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2",
+    "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9",
+    "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a",
+    "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4",
+    "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24",
+    "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4",
+    "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685",
+  ]
+}
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index 6acc6ba4f..e01df4c85 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -108,7 +108,7 @@ resource "aws_cloudfront_distribution" "appointment" {
     origin_id   = var.backend_id
     domain_name = var.backend_dns_name
     custom_origin_config {
-      http_port              = 5000
+      http_port              = 80
       https_port             = 5000
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1.2"]

From 56c7d29cf22e653a57cd3d039c38d9237773358a Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 16 Apr 2024 11:51:13 -0400
Subject: [PATCH 177/298] api uri rewrite update

---
 tofu/modules/services/frontend/main.tf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index e01df4c85..eb1b2185e 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -98,6 +98,11 @@ resource "aws_cloudfront_distribution" "appointment" {
 
   aliases = ["${var.environment}.appointment.day"]
 
+  logging_config {
+    bucket = "${aws_s3_bucket.request_logs.id}.s3.amazonaws.com"
+    include_cookies = true
+  }
+
   origin {
     origin_id                = "${var.name_prefix}-frontend"
     domain_name              = aws_s3_bucket.frontend.bucket_domain_name
@@ -211,7 +216,6 @@ resource "aws_cloudfront_function" "rewrite_api" {
       // If we're not in one of the ignorePaths then force them to /index.html
       request.uri = '/index.html';
     }
-
     // else carry on like normal.
     return request;
   }

From 6ab8dff2dd92ba5c9dca92df3293c171397f5ab0 Mon Sep 17 00:00:00 2001
From: Melissa Autumn <melissa@thunderbird.net>
Date: Tue, 16 Apr 2024 09:49:46 -0700
Subject: [PATCH 178/298] Frontend IAC: Pass the build environment mode to yarn
 build (e.g. staging, production)

Just does staging for now.
---
 .github/workflows/deploy-frontend.yaml | 5 ++++-
 .github/workflows/primary.yaml         | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 83bc75f1d..f24be6b26 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -14,6 +14,9 @@ on:
       bucket:
         required: true
         type: string
+      build_environment:
+        required: true
+        type: string
 
 permissions:
   id-token: write
@@ -36,7 +39,7 @@ jobs:
       run: cd frontend && yarn install
 
     - name: Build project
-      run: cd frontend && yarn build
+      run: cd frontend && yarn build --mode ${{inputs.build_environment}}
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 85443d86d..a2cd19a61 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -109,5 +109,6 @@ jobs:
     with:
       aws_region: us-east-1
       bucket: tb-apmt-stage-frontend
+      build_environment: staging
     secrets: inherit
 

From 4031e96c8a965a694d76ed55b1950224af68ac72 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 16 Apr 2024 15:32:50 -0400
Subject: [PATCH 179/298] add index.html function

---
 .github/workflows/deploy-frontend.yaml |  4 +++-
 tofu/modules/services/frontend/main.tf | 21 +++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index f24be6b26..2ed6e9e0b 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -39,7 +39,9 @@ jobs:
       run: cd frontend && yarn install
 
     - name: Build project
-      run: cd frontend && yarn build --mode ${{inputs.build_environment}}
+      run: |
+        cp /build/frontend/.env.staging.example /build/frontend/.env.staging
+        cd frontend && yarn build --mode ${{inputs.build_environment}}
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index eb1b2185e..f3f350489 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -222,6 +222,27 @@ resource "aws_cloudfront_function" "rewrite_api" {
   EOT
 }
 
+resource "aws_cloudfront_function" "add_index" {
+  name = "${var.name_prefix}-add-index"
+  runtime = "cloudfront-js-2.0"
+  code = <<EOT
+  async function handler(event) {
+    const request = event.request;
+    const uri = request.uri;
+    
+    // Check whether the URI is missing a file name.
+    if (uri.endsWith('/')) {
+        request.uri += 'index.html';
+    } 
+    // Check whether the URI is missing a file extension.
+    else if (uri == '') {
+        request.uri += '/index.html';
+    }
+
+    return request;
+}
+  EOT
+}
 resource "aws_s3_bucket" "request_logs" {
   bucket        = local.log_bucket
   force_destroy = true

From 2afa566a20efebdf7d7f07da01d75b32a1784f0a Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 08:08:32 -0400
Subject: [PATCH 180/298] frontend test

---
 .github/workflows/primary.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index a2cd19a61..6b26f31c7 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -104,7 +104,6 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From ddba21540ca9f039cf51c7d49b1a878fc66f6f28 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 08:12:38 -0400
Subject: [PATCH 181/298] frontend test

---
 .github/workflows/deploy-frontend.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 2ed6e9e0b..299ec5875 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -40,7 +40,7 @@ jobs:
 
     - name: Build project
       run: |
-        cp /build/frontend/.env.staging.example /build/frontend/.env.staging
+        cp frontend/.env.staging.example frontend/.env.staging
         cd frontend && yarn build --mode ${{inputs.build_environment}}
 
     - name: Configure AWS credentials

From f587149220283c0fa3cedc566721ecc9c776ca0c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 08:17:30 -0400
Subject: [PATCH 182/298] temporarily run all steps on add-tf-iac branch

---
 .github/workflows/primary.yaml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 6b26f31c7..24315d3fd 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -55,7 +55,7 @@ jobs:
 
   apply-iac:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -70,12 +70,12 @@ jobs:
 
   ci-tests:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
+    if: github.ref == 'refs/heads/add-tf-iac' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
     uses: ./.github/workflows/ci-tests.yaml
 
   verify-backend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -90,6 +90,7 @@ jobs:
 
   deploy-backend:
     needs: detect-changes
+    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-backend == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -104,6 +105,7 @@ jobs:
 
   deploy-frontend:
     needs: detect-changes
+    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
       aws_region: us-east-1

From 0cb12d57bf8b232f40ca08046801fa297b6f1bfc Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 08:26:02 -0400
Subject: [PATCH 183/298] fix apply-iac workflow & production backend-service

---
 .github/workflows/apply-iac.yaml                     | 12 ++++++------
 .../services/backend-service/terragrunt.hcl          |  2 ++
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/apply-iac.yaml b/.github/workflows/apply-iac.yaml
index f531f3c02..64a0ef0b8 100644
--- a/.github/workflows/apply-iac.yaml
+++ b/.github/workflows/apply-iac.yaml
@@ -21,7 +21,7 @@ permissions:
   contents: read
 
 jobs:
-  validate-iac:
+  apply-iac:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -50,7 +50,7 @@ jobs:
         run: |
           terragrunt init
           terragrunt validate
-          terragrunt plan tfplan
+          terragrunt plan -out tfplan
           terragrunt apply tfplan
 
       - name: backend-infra
@@ -58,7 +58,7 @@ jobs:
         run: |
           terragrunt init
           terragrunt validate
-          terragrunt plan
+          terragrunt plan -out tfplan
           terragrunt apply tfplan
 
       - name: cache
@@ -66,7 +66,7 @@ jobs:
         run: |
           terragrunt init
           terragrunt validate
-          terragrunt plan
+          terragrunt plan -out tfplan
           terragrunt apply tfplan
 
       - name: database
@@ -74,7 +74,7 @@ jobs:
         run: |
           terragrunt init
           terragrunt validate
-          terragrunt plan
+          terragrunt plan -out tfplan
           terragrunt apply tfplan
           
       - name: frontend
@@ -82,5 +82,5 @@ jobs:
         run: |
           terragrunt init
           terragrunt validate
-          terragrunt plan
+          terragrunt plan -out tfplan
           terragrunt apply tfplan
diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index 8387eec5e..fff6fe397 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -18,6 +18,7 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     private_subnets = ["subnet-mocksubnet1234567"]
+    ecs_execution_role = "arn:mockrolearn"
   }
 }
 
@@ -50,5 +51,6 @@ inputs = {
   target_group_arn = dependency.backend-infra.outputs.target_group_arn
   security_group   = dependency.backend-infra.outputs.security_group_id
   ecs_cluster      = dependency.backend-infra.outputs.cluster_id
+  task_execution_role = dependency.vpc.outputs.ecs_execution_role
   tags             = local.tags
 }
\ No newline at end of file

From 921181991f78b5b2ddcc4c6962124d1fdb7b15c9 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 08:32:33 -0400
Subject: [PATCH 184/298] fix mock execution role & temporailiry disable
 verify-iac for add-tf-iac branch

---
 .github/workflows/primary.yaml                                | 4 ++--
 .../production/services/backend-service/terragrunt.hcl        | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 24315d3fd..c2ab73e2c 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -40,7 +40,7 @@ jobs:
 
   verify-iac:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref != 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
@@ -75,7 +75,7 @@ jobs:
 
   verify-backend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref != 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
index fff6fe397..9db40c45d 100644
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -18,7 +18,7 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     private_subnets = ["subnet-mocksubnet1234567"]
-    ecs_execution_role = "arn:mockrolearn"
+    ecs_execution_role = "arn:aws:iam::768512802988:role/mockrolearn"
   }
 }
 

From fddfa574fcb155764fc612fbace66c12ef8b40bb Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 09:58:42 -0400
Subject: [PATCH 185/298] frontend build environment

---
 .github/workflows/deploy-frontend.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
index 299ec5875..fbe5db6fc 100644
--- a/.github/workflows/deploy-frontend.yaml
+++ b/.github/workflows/deploy-frontend.yaml
@@ -40,7 +40,7 @@ jobs:
 
     - name: Build project
       run: |
-        cp frontend/.env.staging.example frontend/.env.staging
+        cp frontend/.env.${{inputs.build_environment}}.example frontend/.env.${{inputs.build_environment}}
         cd frontend && yarn build --mode ${{inputs.build_environment}}
 
     - name: Configure AWS credentials

From 64fccd2d28424ba629885f7d99df884b69ecba7b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 13:41:39 -0400
Subject: [PATCH 186/298] replacing DB secrets

---
 .github/workflows/primary.yaml                |  1 +
 .../backend-infra/.terraform.lock.hcl         | 24 ++++++------
 .../backend-infra/.terraform.lock.hcl         | 37 +++++++++++++++++++
 tofu/modules/services/backend-infra/main.tf   |  8 ++++
 4 files changed, 58 insertions(+), 12 deletions(-)
 create mode 100644 tofu/modules/services/backend-infra/.terraform.lock.hcl

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index c2ab73e2c..5d7f516a5 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -35,6 +35,7 @@ jobs:
               - '.github/workflows/**'
             run-backend:
               - 'backend/**'
+                'tofu/modules/services/backend-service/**'
             run-frontend:
               - 'frontend/**'
 
diff --git a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
index 840c8c797..1ff60906c 100644
--- a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
@@ -38,18 +38,18 @@ provider "registry.opentofu.org/hashicorp/random" {
 }
 
 provider "registry.opentofu.org/hashicorp/random" {
-  version = "3.6.0"
+  version = "3.6.1"
   hashes = [
-    "h1:6QMZ6JACl+V2t8daN5GTlw22EtG7nhc3BbkbJDw2a5M=",
-    "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75",
-    "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3",
-    "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23",
-    "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2",
-    "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9",
-    "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a",
-    "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4",
-    "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24",
-    "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4",
-    "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685",
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
   ]
 }
diff --git a/tofu/modules/services/backend-infra/.terraform.lock.hcl b/tofu/modules/services/backend-infra/.terraform.lock.hcl
new file mode 100644
index 000000000..181a05a23
--- /dev/null
+++ b/tofu/modules/services/backend-infra/.terraform.lock.hcl
@@ -0,0 +1,37 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.45.0"
+  constraints = ">= 4.66.1, >= 5.33.0"
+  hashes = [
+    "h1:3zU3yp1SY+8vHAQvhfhYdPnFYQpFwXXXar+hOrnofzQ=",
+    "zh:1d71c406aeaf4ba762eb62e4595ab9c9f8da1a2c9b74bb4277c0acfd9678ae65",
+    "zh:3b00b13154eadedb37bca99bf7cbd556fa9472e6900c970effa17a270ee9f721",
+    "zh:6f264e8b70153925ac8abfa83ebffe2c2d5a27ab5557a6b16124269b08ac2441",
+    "zh:80f7d552faf5c43d7dc22c6c1f7e70557b9f01c67db07abbb0330d5d3fc0e464",
+    "zh:863a2a2e6ae5b42fc46b209d8f2761c882d46aca481a8c49ef221d290b4fd88e",
+    "zh:8e3bddeb2da7e6bcfd0b0221a083778d2f7fc5cd64f55de7d8d79bd1f7378bae",
+    "zh:c726104e46cd743bbf240101d7975f44091d893b6e97b46070df0041779b04d2",
+    "zh:db73a89b462fdd6eb6f32e6ed464430a895fc2e54fb629e8b99773fc32a6a7a8",
+    "zh:e35179b89eba358f521ffd4546345b4d0683ca3364a9deb8f3b7b4bf60be6f02",
+    "zh:e7b54a0faecd34a9c73729d1d1f0cfc1b8f56bae789f95987002616f1265ce72",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version = "3.6.1"
+  hashes = [
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
+  ]
+}
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 5a46570e5..4b2e4d0a6 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -28,6 +28,14 @@ resource "random_string" "x_allow_suffix" {
   upper   = true
 }
 
+resource "random_string" "x_allow_suffix" {
+  length = 8
+  lower = true
+  numeric = false
+  special = false
+  upper = true
+}
+
 resource "aws_secretsmanager_secret" "x_allow_secret" {
   name = "${var.name_prefix}-x-allow-secret-${random_string.x_allow_suffix.result}"
 }

From 9be65e36b2b76bf153347e280324cdcd450dfe2a Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 13:43:22 -0400
Subject: [PATCH 187/298] workflow typo fix

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 5d7f516a5..2d5452902 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -35,7 +35,7 @@ jobs:
               - '.github/workflows/**'
             run-backend:
               - 'backend/**'
-                'tofu/modules/services/backend-service/**'
+              - 'tofu/modules/services/backend-service/**'
             run-frontend:
               - 'frontend/**'
 

From 98b70007407242b79da4445b30a8c0187c9b2b20 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 13:56:13 -0400
Subject: [PATCH 188/298] improve x-allow secret handling

---
 tofu/modules/services/frontend/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index f3f350489..ed8577a43 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -235,7 +235,7 @@ resource "aws_cloudfront_function" "add_index" {
         request.uri += 'index.html';
     } 
     // Check whether the URI is missing a file extension.
-    else if (uri == '') {
+    else if (!uri.includes('.')) {
         request.uri += '/index.html';
     }
 

From 41b1638b8d32e44f011c7a5c7a26d629a124b6e8 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 14:08:17 -0400
Subject: [PATCH 189/298] index function fix

---
 tofu/modules/services/frontend/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index ed8577a43..f4e511282 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -236,7 +236,7 @@ resource "aws_cloudfront_function" "add_index" {
     } 
     // Check whether the URI is missing a file extension.
     else if (!uri.includes('.')) {
-        request.uri += '/index.html';
+        request.uri = '/index.html';
     }
 
     return request;

From 4c51b11f114fe9f1414c3d6860fd463d91804391 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 12:38:01 -0400
Subject: [PATCH 190/298] fix rewrite function

---
 tofu/README.md                         |  2 +-
 tofu/modules/services/frontend/main.tf | 22 +---------------------
 2 files changed, 2 insertions(+), 22 deletions(-)

diff --git a/tofu/README.md b/tofu/README.md
index 05a53ffc5..aa1711a20 100644
--- a/tofu/README.md
+++ b/tofu/README.md
@@ -110,7 +110,7 @@ These should be deployed in the following order and generally will only be updat
 
 1. tofu/environments/\<env>/services/backend-service
    1. `cd tofu/environments/<env>/services/backend-service`
-   2. `terragrun init`
+   2. `terragrunt init`
    3. `terragrunt validate`
    4. `terragrunt plan -out tfplan`
    5. `terragrunt apply tfplan`
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index f4e511282..10ee53c64 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -216,33 +216,13 @@ resource "aws_cloudfront_function" "rewrite_api" {
       // If we're not in one of the ignorePaths then force them to /index.html
       request.uri = '/index.html';
     }
+
     // else carry on like normal.
     return request;
   }
   EOT
 }
 
-resource "aws_cloudfront_function" "add_index" {
-  name = "${var.name_prefix}-add-index"
-  runtime = "cloudfront-js-2.0"
-  code = <<EOT
-  async function handler(event) {
-    const request = event.request;
-    const uri = request.uri;
-    
-    // Check whether the URI is missing a file name.
-    if (uri.endsWith('/')) {
-        request.uri += 'index.html';
-    } 
-    // Check whether the URI is missing a file extension.
-    else if (!uri.includes('.')) {
-        request.uri = '/index.html';
-    }
-
-    return request;
-}
-  EOT
-}
 resource "aws_s3_bucket" "request_logs" {
   bucket        = local.log_bucket
   force_destroy = true

From e4346e7c1e26a9129c20199ddadd753b1ab3d47c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 12:56:58 -0400
Subject: [PATCH 191/298] env env variables

---
 .github/workflows/primary.yaml | 38 +++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 2d5452902..e2132e4d0 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -41,75 +41,75 @@ jobs:
 
   verify-iac:
     needs: detect-changes
-    if: github.ref != 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
         environment: [stage, production]
     uses: ./.github/workflows/verify-iac.yaml
     with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
+      tf_version: $TF_VERSION
+      tg_version: $TG_VERSION
+      aws_region: $AWS_REGION
       environment: ${{ matrix.environment }}
     secrets: inherit
 
   apply-iac:
     needs: detect-changes
-    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
         environment: [stage]
     uses: ./.github/workflows/apply-iac.yaml
     with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
+      tf_version: $TF_VERSION
+      tg_version: $TG_VERSION
+      aws_region: $AWS_REGION
       environment: ${{ matrix.environment }}
     secrets: inherit
 
   ci-tests:
     needs: detect-changes
-    if: github.ref == 'refs/heads/add-tf-iac' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
+    if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
     uses: ./.github/workflows/ci-tests.yaml
 
   verify-backend:
     needs: detect-changes
-    if: github.ref != 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:
         environment: [stage, production]
     uses: ./.github/workflows/verify-backend.yaml
     with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
+      tf_version: $TF_VERSION
+      tg_version: $TG_VERSION
+      aws_region: $AWS_REGION
       environment: ${{ matrix.environment }}
     secrets: inherit
 
   deploy-backend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-backend == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
     strategy:
       max-parallel: 1
       matrix:
         environment: [stage]
     uses: ./.github/workflows/deploy-backend.yaml
     with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
+      tf_version: $TF_VERSION
+      tg_version: $TG_VERSION
+      aws_region: $AWS_REGION
       environment: ${{ matrix.environment }}
     secrets: inherit
 
   deploy-frontend:
     needs: detect-changes
-    if: github.ref == 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-frontend == 'true'
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
-      aws_region: us-east-1
+      aws_region: $AWS_REGION
       bucket: tb-apmt-stage-frontend
       build_environment: staging
     secrets: inherit

From 15cb5d3119afb39cd0f4bfa0d4e324a7b63d5a9f Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:07:51 -0400
Subject: [PATCH 192/298] remove env context from with key

---
 .github/workflows/primary.yaml | 31 +++++++++++++------------------
 1 file changed, 13 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index e2132e4d0..aaa0a47f3 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -11,11 +11,6 @@ permissions:
   id-token: write
   contents: read
 
-env:
-  TF_VERSION: '1.6.2'
-  TG_VERSION: '0.55.15'
-  AWS_REGION: us-east-1
-
 jobs:
   detect-changes:
     runs-on: ubuntu-latest
@@ -48,9 +43,9 @@ jobs:
         environment: [stage, production]
     uses: ./.github/workflows/verify-iac.yaml
     with:
-      tf_version: $TF_VERSION
-      tg_version: $TG_VERSION
-      aws_region: $AWS_REGION
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
     secrets: inherit
 
@@ -63,9 +58,9 @@ jobs:
         environment: [stage]
     uses: ./.github/workflows/apply-iac.yaml
     with:
-      tf_version: $TF_VERSION
-      tg_version: $TG_VERSION
-      aws_region: $AWS_REGION
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
     secrets: inherit
 
@@ -83,9 +78,9 @@ jobs:
         environment: [stage, production]
     uses: ./.github/workflows/verify-backend.yaml
     with:
-      tf_version: $TF_VERSION
-      tg_version: $TG_VERSION
-      aws_region: $AWS_REGION
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
     secrets: inherit
 
@@ -98,9 +93,9 @@ jobs:
         environment: [stage]
     uses: ./.github/workflows/deploy-backend.yaml
     with:
-      tf_version: $TF_VERSION
-      tg_version: $TG_VERSION
-      aws_region: $AWS_REGION
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
       environment: ${{ matrix.environment }}
     secrets: inherit
 
@@ -109,7 +104,7 @@ jobs:
     if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
     uses: ./.github/workflows/deploy-frontend.yaml
     with:
-      aws_region: $AWS_REGION
+      aws_region: us-east-1
       bucket: tb-apmt-stage-frontend
       build_environment: staging
     secrets: inherit

From 8a08b9d25318c0b554afde32bbc10f737a0e83b5 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:18:09 -0400
Subject: [PATCH 193/298] terragrunt upgrade

---
 .github/workflows/apply-iac.yaml      | 10 +++++-----
 .github/workflows/deploy-backend.yaml |  2 +-
 .github/workflows/verify-backend.yaml |  2 +-
 .github/workflows/verify-iac.yaml     | 10 +++++-----
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/apply-iac.yaml b/.github/workflows/apply-iac.yaml
index 64a0ef0b8..14056124d 100644
--- a/.github/workflows/apply-iac.yaml
+++ b/.github/workflows/apply-iac.yaml
@@ -48,7 +48,7 @@ jobs:
       - name: vpc
         working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
           terragrunt apply tfplan
@@ -56,7 +56,7 @@ jobs:
       - name: backend-infra
         working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
           terragrunt apply tfplan
@@ -64,7 +64,7 @@ jobs:
       - name: cache
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
           terragrunt apply tfplan
@@ -72,7 +72,7 @@ jobs:
       - name: database
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
           terragrunt apply tfplan
@@ -80,7 +80,7 @@ jobs:
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
           terragrunt apply tfplan
diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
index a2e3f8dce..d0c511d65 100644
--- a/.github/workflows/deploy-backend.yaml
+++ b/.github/workflows/deploy-backend.yaml
@@ -77,7 +77,7 @@ jobs:
     - name: backend-service
       working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
       run: |
-        terragrunt init
+        terragrunt init -upgrade
         terragrunt validate
         terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
         terragrunt apply tfplan
diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
index e8f28488d..db05a4534 100644
--- a/.github/workflows/verify-backend.yaml
+++ b/.github/workflows/verify-backend.yaml
@@ -68,7 +68,7 @@ jobs:
     - name: backend-service
       working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
       run: |
-        terragrunt init
+        terragrunt init -upgrade
         terragrunt validate
         terragrunt plan -var 'image=${{env.IMAGE}}'
 
diff --git a/.github/workflows/verify-iac.yaml b/.github/workflows/verify-iac.yaml
index fe1767803..3ac7fa3f1 100644
--- a/.github/workflows/verify-iac.yaml
+++ b/.github/workflows/verify-iac.yaml
@@ -49,7 +49,7 @@ jobs:
         working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
         continue-on-error: true
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan
 
@@ -57,7 +57,7 @@ jobs:
         working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
         continue-on-error: true
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan
 
@@ -65,7 +65,7 @@ jobs:
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
         continue-on-error: true
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan
 
@@ -73,13 +73,13 @@ jobs:
         working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
         continue-on-error: true
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan
           
       - name: frontend
         working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
         run: |
-          terragrunt init
+          terragrunt init -upgrade
           terragrunt validate
           terragrunt plan

From 6ef1cbaccfadd193bffdad875402b66b6542ce71 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:36:51 -0400
Subject: [PATCH 194/298] relax provider versions

---
 tofu/environments/stage/environment.hcl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index 13b0a99d8..63872ae16 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -23,6 +23,9 @@ generate "versions" {
           source = "hashicorp/random"
           version = ">= 3.6.1"
         }
+        random = {
+          source = "hashicorp/random"
+          version = "~> 3.6.1"
       }
     }
 EOF

From f4710f66549bcf5243c8a437adc8ae4402767e00 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:38:00 -0400
Subject: [PATCH 195/298] relax provider versions

---
 tofu/environments/stage/environment.hcl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index 63872ae16..4821cf3ed 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -26,6 +26,7 @@ generate "versions" {
         random = {
           source = "hashicorp/random"
           version = "~> 3.6.1"
+        }
       }
     }
 EOF

From 5358ccc516a95f9fe29741a4e2065109e288e9ae Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:39:57 -0400
Subject: [PATCH 196/298] relax provider versions

---
 tofu/environments/stage/environment.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index 4821cf3ed..5cf2b854e 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -25,7 +25,7 @@ generate "versions" {
         }
         random = {
           source = "hashicorp/random"
-          version = "~> 3.6.1"
+          version = "~>= 3.6.1"
         }
       }
     }

From a9641fae5c1cc756c853ecdd3a546c0ea1c0747a Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:42:51 -0400
Subject: [PATCH 197/298] adjusting provider requirements

---
 tofu/environments/stage/environment.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index 5cf2b854e..97d5ef139 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -25,7 +25,7 @@ generate "versions" {
         }
         random = {
           source = "hashicorp/random"
-          version = "~>= 3.6.1"
+          version = "~> 3.6"
         }
       }
     }

From 55614d7475bbeb3d72ad1cc0fc2d24f30189cd8c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:53:09 -0400
Subject: [PATCH 198/298] adjusting provider requirements

---
 tofu/environments/production/services/frontend/terragrunt.hcl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index aecb69f5e..e08624e9c 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -19,6 +19,7 @@ dependency "backend" {
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"
+    x_allow_secret = "mock_secret"
   }
 }
 
@@ -43,4 +44,5 @@ inputs = {
   ssl_cert         = local.ssl_cert
   backend_id       = dependency.backend.outputs.alb_id
   backend_dns_name = dependency.backend.outputs.dns_name
+  x_allow_secret = dependency.backend.outputs.x_allow_secret
 }
\ No newline at end of file

From 75550270692c7a37f667acb7239ce3f45b532857 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 14:07:54 -0400
Subject: [PATCH 199/298] adjusting provider requirements

---
 tofu/environments/stage/environment.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index 97d5ef139..17fcc14ec 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -25,7 +25,7 @@ generate "versions" {
         }
         random = {
           source = "hashicorp/random"
-          version = "~> 3.6"
+          version = ">= 3.6.1"
         }
       }
     }

From 85179241f3e2e72fe24ce1c2176b35cc7a25da08 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 14:41:09 -0400
Subject: [PATCH 200/298] adjusting provider requirements

---
 .../production/services/backend-infra/terragrunt.hcl             | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index 5ed033407..93beded47 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -47,5 +47,6 @@ inputs = {
   secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
   logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
   database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
+  ssl_cert                        = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
   tags                            = local.tags
 }
\ No newline at end of file

From 9280d6d80c87779713842b4c87818a2edc8f8d59 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 15:15:32 -0400
Subject: [PATCH 201/298] removed lock file

---
 .../backend-infra/.terraform.lock.hcl         | 37 -------------------
 1 file changed, 37 deletions(-)
 delete mode 100644 tofu/modules/services/backend-infra/.terraform.lock.hcl

diff --git a/tofu/modules/services/backend-infra/.terraform.lock.hcl b/tofu/modules/services/backend-infra/.terraform.lock.hcl
deleted file mode 100644
index 181a05a23..000000000
--- a/tofu/modules/services/backend-infra/.terraform.lock.hcl
+++ /dev/null
@@ -1,37 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.45.0"
-  constraints = ">= 4.66.1, >= 5.33.0"
-  hashes = [
-    "h1:3zU3yp1SY+8vHAQvhfhYdPnFYQpFwXXXar+hOrnofzQ=",
-    "zh:1d71c406aeaf4ba762eb62e4595ab9c9f8da1a2c9b74bb4277c0acfd9678ae65",
-    "zh:3b00b13154eadedb37bca99bf7cbd556fa9472e6900c970effa17a270ee9f721",
-    "zh:6f264e8b70153925ac8abfa83ebffe2c2d5a27ab5557a6b16124269b08ac2441",
-    "zh:80f7d552faf5c43d7dc22c6c1f7e70557b9f01c67db07abbb0330d5d3fc0e464",
-    "zh:863a2a2e6ae5b42fc46b209d8f2761c882d46aca481a8c49ef221d290b4fd88e",
-    "zh:8e3bddeb2da7e6bcfd0b0221a083778d2f7fc5cd64f55de7d8d79bd1f7378bae",
-    "zh:c726104e46cd743bbf240101d7975f44091d893b6e97b46070df0041779b04d2",
-    "zh:db73a89b462fdd6eb6f32e6ed464430a895fc2e54fb629e8b99773fc32a6a7a8",
-    "zh:e35179b89eba358f521ffd4546345b4d0683ca3364a9deb8f3b7b4bf60be6f02",
-    "zh:e7b54a0faecd34a9c73729d1d1f0cfc1b8f56bae789f95987002616f1265ce72",
-  ]
-}
-
-provider "registry.opentofu.org/hashicorp/random" {
-  version = "3.6.1"
-  hashes = [
-    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
-    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
-    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
-    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
-    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
-    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
-    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
-    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
-    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
-    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
-    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
-  ]
-}

From 5254ec59f7d429c9db5d47931d1d4dc2e90cb40e Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 23 Apr 2024 07:25:40 -0400
Subject: [PATCH 202/298] updating terraform lock files

---
 .../stage/network/vpc/.terraform.lock.hcl     | 44 +++++++++++++------
 1 file changed, 31 insertions(+), 13 deletions(-)

diff --git a/tofu/environments/stage/network/vpc/.terraform.lock.hcl b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
index c8048244a..fce9acaad 100644
--- a/tofu/environments/stage/network/vpc/.terraform.lock.hcl
+++ b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
@@ -2,19 +2,37 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
-  constraints = ">= 4.0.0, >= 5.30.0"
+  version     = "5.46.0"
+  constraints = ">= 4.0.0, >= 5.30.0, >= 5.46.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
+    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
+    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
+    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
+    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
+    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
+    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
+    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
+    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
+    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
+    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version     = "3.6.1"
+  constraints = ">= 3.6.1"
+  hashes = [
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
   ]
 }

From 2c253977cc1022726965dd59e656d43f01f77fe7 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 6 May 2024 13:36:09 -0400
Subject: [PATCH 203/298] workflow cleanup

---
 .github/workflows/apply-iac.yaml        |  86 ------------------
 .github/workflows/deploy-backend.yaml   |  84 ------------------
 .github/workflows/deploy-frontend.yaml  |  54 ------------
 .github/workflows/deploy-production.yml |   6 +-
 .github/workflows/deploy-staging.yml    |   6 +-
 .github/workflows/primary.yaml          | 111 ------------------------
 .github/workflows/validate.yml          |   6 +-
 .github/workflows/verify-backend.yaml   |  74 ----------------
 .github/workflows/verify-iac.yaml       |  85 ------------------
 9 files changed, 12 insertions(+), 500 deletions(-)
 delete mode 100644 .github/workflows/apply-iac.yaml
 delete mode 100644 .github/workflows/deploy-backend.yaml
 delete mode 100644 .github/workflows/deploy-frontend.yaml
 delete mode 100644 .github/workflows/primary.yaml
 delete mode 100644 .github/workflows/verify-backend.yaml
 delete mode 100644 .github/workflows/verify-iac.yaml

diff --git a/.github/workflows/apply-iac.yaml b/.github/workflows/apply-iac.yaml
deleted file mode 100644
index 14056124d..000000000
--- a/.github/workflows/apply-iac.yaml
+++ /dev/null
@@ -1,86 +0,0 @@
-name: apply-iac
-
-on: 
-  workflow_call:
-    inputs:
-      tf_version:
-        required: true
-        type: string
-      tg_version:
-        required: true
-        type: string
-      aws_region:
-        required: true
-        type: string
-      environment:
-        required: true
-        type: string
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  apply-iac:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{secrets.IAM_ROLE}}
-          role-session-name: GitHub_to_AWS_via_FederatedOIDC
-          aws-region: ${{inputs.aws_region}}
-
-      - name: install opentofu
-        uses: opentofu/setup-opentofu@v1
-        with: 
-          tofu_version: ${{inputs.tf_version}}
-          tofu_wrapper: false
-
-      - name: install terragrunt
-        run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
-          sudo chmod +x /bin/terragrunt
-          terragrunt -v
-
-      - name: vpc
-        working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-
-      - name: backend-infra
-        working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-
-      - name: cache
-        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-
-      - name: database
-        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-          
-      - name: frontend
-        working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
deleted file mode 100644
index d0c511d65..000000000
--- a/.github/workflows/deploy-backend.yaml
+++ /dev/null
@@ -1,84 +0,0 @@
-name: Deploy Backend
-
-# Stop any pending jobs
-concurrency:
-  group: backend
-  cancel-in-progress: true
-
-on:
-  workflow_call:
-    inputs:
-      tf_version:
-        required: true
-        type: string
-      tg_version:
-        required: true
-        type: string
-      aws_region:
-        required: true
-        type: string
-      environment:
-        required: true
-        type: string
-
-env:
-  ECR_REPOSITORY: appointment
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  deploy-backend:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{secrets.IAM_ROLE}}
-        role-session-name: GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{inputs.aws_region}}
-
-    - name: install opentofu
-      uses: opentofu/setup-opentofu@v1
-      with: 
-        tofu_version: ${{inputs.tf_version}}
-        tofu_wrapper: false
-
-    - name: install terragrunt
-      run: |
-        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
-        sudo chmod +x /bin/terragrunt
-        terragrunt -v
-
-    - name: Login to Amazon ECR
-      id: login-ecr
-      uses: aws-actions/amazon-ecr-login@v2
-      with:
-        mask-password: 'true'
-
-    - name: Build, tag, and push backend image to Amazon ECR
-      id: build-backend
-      env:
-        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        IMAGE_TAG: backend-${{ github.sha }}
-      run: |
-        # Build a docker container and
-        # push it to ECR so that it can
-        # be deployed to ECS.
-        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
-        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
-
-    - name: backend-service
-      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
-        terragrunt apply tfplan
-
diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
deleted file mode 100644
index fbe5db6fc..000000000
--- a/.github/workflows/deploy-frontend.yaml
+++ /dev/null
@@ -1,54 +0,0 @@
-name: Deploy Frontend
-
-# Stop any pending jobs
-concurrency:
-  group: frontend
-  cancel-in-progress: true
-
-on:
-  workflow_call:
-    inputs:
-      aws_region:
-        required: true
-        type: string
-      bucket:
-        required: true
-        type: string
-      build_environment:
-        required: true
-        type: string
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  deploy-frontend:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Setup NPM
-      uses: actions/setup-node@v4
-      with:
-        node-version: '18.x'
-
-    - name: Install dependencies
-      run: cd frontend && yarn install
-
-    - name: Build project
-      run: |
-        cp frontend/.env.${{inputs.build_environment}}.example frontend/.env.${{inputs.build_environment}}
-        cd frontend && yarn build --mode ${{inputs.build_environment}}
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{secrets.IAM_ROLE}}
-        role-session-name: GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{inputs.aws_region}}
-
-    - name: Deploy Frontend
-      run: aws s3 sync frontend/dist s3://${{inputs.bucket}} --delete
diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 1156cf9de..b780627d9 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -7,11 +7,10 @@ concurrency:
 on:
   workflow_dispatch
 
-environment: production
-
 jobs:
   detect-changes:
     runs-on: ubuntu-latest
+    environment: production
     outputs:
       deploy-iac: ${{ steps.check.outputs.deploy-iac }}
       deploy-backend: ${{ steps.check.outputs.deploy-backend }}
@@ -36,6 +35,7 @@ jobs:
   deploy-iac:
     needs: detect-changes
     runs-on: ubuntu-latest
+    environment: production
     if: needs.detect-changes.outputs.deploy-iac == 'true'
     steps:
     - uses: actions/checkout@v4
@@ -102,6 +102,7 @@ jobs:
   deploy-frontend:
     needs: detect-changes
     runs-on: ubuntu-latest
+    environment: production
     if: needs.detect-changes.outputs.deploy-frontend == 'true'
     steps:
     - uses: actions/checkout@v4
@@ -129,6 +130,7 @@ jobs:
   deploy-backend:
     needs: detect-changes
     runs-on: ubuntu-latest
+    environment: production
     if: needs.detect-changes.outputs.deploy-backend == 'true'
     steps:
     - uses: actions/checkout@v4
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 3a084264a..f1368bbac 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -9,11 +9,10 @@ on:
     branches:
     - main
 
-environment: staging
-
 jobs:
   detect-changes:
     runs-on: ubuntu-latest
+    environment: staging
     outputs:
       deploy-iac: ${{ steps.check.outputs.deploy-iac }}
       deploy-backend: ${{ steps.check.outputs.deploy-backend }}
@@ -38,6 +37,7 @@ jobs:
   deploy-iac:
     needs: detect-changes
     runs-on: ubuntu-latest
+    environment: staging
     if: needs.detect-changes.outputs.deploy-iac == 'true'
     steps:
     - uses: actions/checkout@v4
@@ -104,6 +104,7 @@ jobs:
   deploy-frontend:
     needs: detect-changes
     runs-on: ubuntu-latest
+    environment: staging
     if: needs.detect-changes.outputs.deploy-frontend == 'true'
     steps:
     - uses: actions/checkout@v4
@@ -131,6 +132,7 @@ jobs:
   deploy-backend:
     needs: detect-changes
     runs-on: ubuntu-latest
+    environment: staging
     if: needs.detect-changes.outputs.deploy-backend == 'true'
     steps:
     - uses: actions/checkout@v4
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
deleted file mode 100644
index aaa0a47f3..000000000
--- a/.github/workflows/primary.yaml
+++ /dev/null
@@ -1,111 +0,0 @@
-name: Primary Workflow
-
-concurrency:
-  group: iac
-  cancel-in-progress: true
-
-on:
-  push:
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  detect-changes:
-    runs-on: ubuntu-latest
-    outputs:
-      run-iac: ${{ steps.check.outputs.run-iac }}
-      run-backend: ${{ steps.check.outputs.run-backend }}
-      run-frontend: ${{ steps.check.outputs.run-frontend }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: dorny/paths-filter@v3
-        id: check
-        with:
-          filters: |
-            run-iac:
-              - 'tofu/**'
-              - '.github/workflows/**'
-            run-backend:
-              - 'backend/**'
-              - 'tofu/modules/services/backend-service/**'
-            run-frontend:
-              - 'frontend/**'
-
-  verify-iac:
-    needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage, production]
-    uses: ./.github/workflows/verify-iac.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  apply-iac:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage]
-    uses: ./.github/workflows/apply-iac.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  ci-tests:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
-    uses: ./.github/workflows/ci-tests.yaml
-
-  verify-backend:
-    needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage, production]
-    uses: ./.github/workflows/verify-backend.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  deploy-backend:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage]
-    uses: ./.github/workflows/deploy-backend.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  deploy-frontend:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
-    uses: ./.github/workflows/deploy-frontend.yaml
-    with:
-      aws_region: us-east-1
-      bucket: tb-apmt-stage-frontend
-      build_environment: staging
-    secrets: inherit
-
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index d784a8c12..0ae730f33 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -9,11 +9,10 @@ on:
     branches:
     - main
 
-environment: staging
-
 jobs:
   detect-changes:
     runs-on: ubuntu-latest
+    environment: staging
     outputs:
       validate-iac: ${{ steps.check.outputs.validate-iac }}
       validate-backend: ${{ steps.check.outputs.validate-backend }}
@@ -38,6 +37,7 @@ jobs:
   validate-iac:
     needs: detect-changes
     runs-on: ubuntu-latest
+    environment: staging
     if: needs.detect-changes.outputs.validate-iac == 'true'
     steps:
     - uses: actions/checkout@v4
@@ -98,6 +98,7 @@ jobs:
   validate-backend:
     needs: detect-changes
     runs-on: ubuntu-latest
+    environment: staging
     if: needs.detect-changes.outputs.validate-backend == 'true'
 
     steps:
@@ -122,6 +123,7 @@ jobs:
   validate-frontend:
     needs: detect-changes
     runs-on: ubuntu-latest
+    environment: staging
     if: needs.detect-changes.outputs.validate-frontend == 'true'
     steps:
     - uses: actions/checkout@v4
diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
deleted file mode 100644
index db05a4534..000000000
--- a/.github/workflows/verify-backend.yaml
+++ /dev/null
@@ -1,74 +0,0 @@
-name: Deploy Backend
-
-# Stop any pending jobs
-concurrency:
-  group: backend
-  cancel-in-progress: true
-
-on:
-  workflow_call:
-    inputs:
-      tf_version:
-        required: true
-        type: string
-      tg_version:
-        required: true
-        type: string
-      aws_region:
-        required: true
-        type: string
-      environment:
-        required: true
-        type: string
-
-env:
-  AWS_REGION: us-east-1
-  ECR_REPOSITORY: appointments
-  ECS_SERVICE: appointments-service
-  ECS_CLUSTER: appointments
-  IMAGE: dummyimagename
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  validate-backend:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{secrets.IAM_ROLE}}
-        role-session-name: GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{inputs.aws_region}}
-
-    - name: install opentofu
-      uses: opentofu/setup-opentofu@v1
-      with: 
-        tofu_version: ${{inputs.tf_version}}
-        tofu_wrapper: false
-
-    - name: install terragrunt
-      run: |
-        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
-        sudo chmod +x /bin/terragrunt
-        terragrunt -v
-
-    - name: Login to Amazon ECR
-      id: login-ecr
-      uses: aws-actions/amazon-ecr-login@v2
-      with:
-        mask-password: 'true'
-
-    - name: backend-service
-      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -var 'image=${{env.IMAGE}}'
-
diff --git a/.github/workflows/verify-iac.yaml b/.github/workflows/verify-iac.yaml
deleted file mode 100644
index 3ac7fa3f1..000000000
--- a/.github/workflows/verify-iac.yaml
+++ /dev/null
@@ -1,85 +0,0 @@
-name: verify-iac
-
-on: 
-  workflow_call:
-    inputs:
-      tf_version:
-        required: true
-        type: string
-      tg_version:
-        required: true
-        type: string
-      aws_region:
-        required: true
-        type: string
-      environment:
-        required: true
-        type: string
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  validate-iac:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{secrets.IAM_ROLE}}
-          role-session-name: GitHub_to_AWS_via_FederatedOIDC
-          aws-region: ${{inputs.aws_region}}
-
-      - name: install opentofu
-        uses: opentofu/setup-opentofu@v1
-        with: 
-          tofu_version: ${{inputs.tf_version}}
-          tofu_wrapper: false
-
-      - name: install terragrunt
-        run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
-          sudo chmod +x /bin/terragrunt
-          terragrunt -v
-
-      - name: vpc
-        working-directory: ./tofu/environments/${{inputs.environment}}/network/vpc
-        continue-on-error: true
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan
-
-      - name: backend-infra
-        working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-infra
-        continue-on-error: true
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan
-
-      - name: cache
-        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/cache
-        continue-on-error: true
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan
-
-      - name: database
-        working-directory: ./tofu/environments/${{inputs.environment}}/data-store/database
-        continue-on-error: true
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan
-          
-      - name: frontend
-        working-directory: ./tofu/environments/${{inputs.environment}}/services/frontend
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan

From 04cfb8342bb208f5b6e83b927986a6c7025ab9d2 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 6 May 2024 13:42:05 -0400
Subject: [PATCH 204/298] environment cleanup

---
 .github/workflows/deploy-production.yml       |  2 +-
 .github/workflows/deploy-staging.yml          |  2 +-
 .../data-store/cache/.terraform.lock.hcl      | 19 ------
 .../data-store/cache/terragrunt.hcl           | 51 ---------------
 .../data-store/database/.terraform.lock.hcl   | 38 ------------
 .../data-store/database/terragrunt.hcl        | 62 -------------------
 tofu/environments/production/environment.hcl  | 10 ---
 .../production/environment_vars.yaml          |  4 --
 .../network/vpc/.terraform.lock.hcl           | 20 ------
 .../production/network/vpc/terragrunt.hcl     | 31 ----------
 .../backend-infra/.terraform.lock.hcl         | 20 ------
 .../services/backend-infra/terragrunt.hcl     | 52 ----------------
 .../services/backend-service/terragrunt.hcl   | 56 -----------------
 .../services/frontend/.terraform.lock.hcl     | 19 ------
 .../services/frontend/terragrunt.hcl          | 48 --------------
 .../terraform/tfbackend/.terraform.lock.hcl   | 19 ------
 .../terraform/tfbackend/terragrunt.hcl        | 28 ---------
 17 files changed, 2 insertions(+), 479 deletions(-)
 delete mode 100644 tofu/environments/production/data-store/cache/.terraform.lock.hcl
 delete mode 100644 tofu/environments/production/data-store/cache/terragrunt.hcl
 delete mode 100644 tofu/environments/production/data-store/database/.terraform.lock.hcl
 delete mode 100644 tofu/environments/production/data-store/database/terragrunt.hcl
 delete mode 100644 tofu/environments/production/environment.hcl
 delete mode 100644 tofu/environments/production/environment_vars.yaml
 delete mode 100644 tofu/environments/production/network/vpc/.terraform.lock.hcl
 delete mode 100644 tofu/environments/production/network/vpc/terragrunt.hcl
 delete mode 100644 tofu/environments/production/services/backend-infra/.terraform.lock.hcl
 delete mode 100644 tofu/environments/production/services/backend-infra/terragrunt.hcl
 delete mode 100644 tofu/environments/production/services/backend-service/terragrunt.hcl
 delete mode 100644 tofu/environments/production/services/frontend/.terraform.lock.hcl
 delete mode 100644 tofu/environments/production/services/frontend/terragrunt.hcl
 delete mode 100644 tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
 delete mode 100644 tofu/environments/production/terraform/tfbackend/terragrunt.hcl

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index b780627d9..96e1a1226 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -173,7 +173,7 @@ jobs:
         echo 'image_backend=$ECR_TAG' >> $GITHUB_OUTPUT
 
     - name: backend-service
-      working-directory: ./tofu/environments/${{ inputs.environment }}/services/backend-service
+      working-directory: ./tofu/environments/prod/services/backend-service
       run: |
         terragrunt init -upgrade
         terragrunt validate
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index f1368bbac..7296f7f34 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -175,7 +175,7 @@ jobs:
         echo 'image_backend=$ECR_TAG >> $GITHUB_OUTPUT
 
     - name: backend-service
-      working-directory: ./tofu/environments/${{ inputs.environment }}/services/backend-service
+      working-directory: ./tofu/environments/stage/services/backend-service
       run: |
         terragrunt init -upgrade
         terragrunt validate
diff --git a/tofu/environments/production/data-store/cache/.terraform.lock.hcl b/tofu/environments/production/data-store/cache/.terraform.lock.hcl
deleted file mode 100644
index b88b3b5eb..000000000
--- a/tofu/environments/production/data-store/cache/.terraform.lock.hcl
+++ /dev/null
@@ -1,19 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version = "5.41.0"
-  hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
-  ]
-}
diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
deleted file mode 100644
index 086987807..000000000
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ /dev/null
@@ -1,51 +0,0 @@
-include "root" {
-  path   = find_in_parent_folders()
-  expose = true
-}
-
-include "environment" {
-  path   = find_in_parent_folders("environment.hcl")
-  expose = true
-}
-
-terraform {
-  source = "../../../../modules/data-store/cache"
-}
-
-dependency "vpc" {
-  config_path = "../../network/vpc"
-
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
-  mock_outputs = {
-    vpc_id                 = "mock_vpc_id"
-    database_subnets       = ["subnet-mocksubnet1234567"]
-    source_security_groups = ["sg-mocksecuritygroup"]
-  }
-}
-
-dependency "backend" {
-  config_path = "../../services/backend-infra"
-
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
-  mock_outputs = {
-    security_group_id = "mock_sg_id"
-  }
-}
-
-locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
-
-  project_tags     = include.root.locals.tags
-  environment_tags = include.environment.locals.tags
-  tags             = "${merge(local.project_tags, local.environment_tags)}"
-}
-
-inputs = {
-  name_prefix            = local.name_prefix
-  vpc                    = dependency.vpc.outputs.vpc_id
-  subnets                = dependency.vpc.outputs.database_subnets
-  source_security_groups = [dependency.backend.outputs.security_group_id]
-  tags                   = local.tags
-}
\ No newline at end of file
diff --git a/tofu/environments/production/data-store/database/.terraform.lock.hcl b/tofu/environments/production/data-store/database/.terraform.lock.hcl
deleted file mode 100644
index 520f9bfec..000000000
--- a/tofu/environments/production/data-store/database/.terraform.lock.hcl
+++ /dev/null
@@ -1,38 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
-  constraints = ">= 5.36.0"
-  hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
-  ]
-}
-
-provider "registry.opentofu.org/hashicorp/random" {
-  version     = "3.6.0"
-  constraints = ">= 3.1.0"
-  hashes = [
-    "h1:6QMZ6JACl+V2t8daN5GTlw22EtG7nhc3BbkbJDw2a5M=",
-    "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75",
-    "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3",
-    "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23",
-    "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2",
-    "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9",
-    "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a",
-    "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4",
-    "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24",
-    "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4",
-    "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685",
-  ]
-}
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
deleted file mode 100644
index 6a8a0a46a..000000000
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ /dev/null
@@ -1,62 +0,0 @@
-include "root" {
-  path   = find_in_parent_folders()
-  expose = true
-}
-
-include "environment" {
-  path   = find_in_parent_folders("environment.hcl")
-  expose = true
-}
-
-terraform {
-  source = "../../../../modules/data-store/database"
-}
-
-dependency "vpc" {
-  config_path = "../../network/vpc"
-
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
-  mock_outputs = {
-    vpc_id                = "mock_vpc_id"
-    database_subnet_group = "mock_subnet_group"
-  }
-}
-
-dependency "cache" {
-  config_path = "../cache"
-
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
-  mock_outputs = {
-    security_group_id = "mock_sg_id"
-  }
-}
-
-dependency "backend" {
-  config_path = "../../services/backend-infra"
-
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
-  mock_outputs = {
-    security_group_id = "sg-mocksecuritygroup"
-  }
-}
-
-locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
-
-  project_tags     = include.root.locals.tags
-  environment_tags = include.environment.locals.tags
-  tags             = "${merge(local.project_tags, local.environment_tags)}"
-}
-
-inputs = {
-  environment                = local.environment
-  name_prefix                = local.name_prefix
-  region                     = local.region
-  vpc                        = dependency.vpc.outputs.vpc_id
-  subnet_group               = dependency.vpc.outputs.database_subnet_group
-  elasticache_security_group = dependency.cache.outputs.security_group_id
-  backend_security_group     = dependency.backend.outputs.security_group_id
-  tags                       = local.tags
-}
\ No newline at end of file
diff --git a/tofu/environments/production/environment.hcl b/tofu/environments/production/environment.hcl
deleted file mode 100644
index 6aa839efa..000000000
--- a/tofu/environments/production/environment.hcl
+++ /dev/null
@@ -1,10 +0,0 @@
-locals {
-  environment_vars = yamldecode(file("environment_vars.yaml"))
-
-  environment = local.environment_vars.environment
-  region      = local.environment_vars.region
-
-  tags = {
-    environment = local.environment
-  }
-}
\ No newline at end of file
diff --git a/tofu/environments/production/environment_vars.yaml b/tofu/environments/production/environment_vars.yaml
deleted file mode 100644
index e415a0ef9..000000000
--- a/tofu/environments/production/environment_vars.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-environment: production
-region: us-east-1
-...
\ No newline at end of file
diff --git a/tofu/environments/production/network/vpc/.terraform.lock.hcl b/tofu/environments/production/network/vpc/.terraform.lock.hcl
deleted file mode 100644
index c8048244a..000000000
--- a/tofu/environments/production/network/vpc/.terraform.lock.hcl
+++ /dev/null
@@ -1,20 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
-  constraints = ">= 4.0.0, >= 5.30.0"
-  hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
-  ]
-}
diff --git a/tofu/environments/production/network/vpc/terragrunt.hcl b/tofu/environments/production/network/vpc/terragrunt.hcl
deleted file mode 100644
index edae031a7..000000000
--- a/tofu/environments/production/network/vpc/terragrunt.hcl
+++ /dev/null
@@ -1,31 +0,0 @@
-include "root" {
-  path   = find_in_parent_folders()
-  expose = true
-}
-
-include "environment" {
-  path   = find_in_parent_folders("environment.hcl")
-  expose = true
-}
-
-terraform {
-  source = "../../../../modules/network/vpc"
-}
-
-locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
-
-  project_tags     = include.root.locals.tags
-  environment_tags = include.environment.locals.tags
-  tags             = "${merge(local.project_tags, local.environment_tags)}"
-}
-
-inputs = {
-  environment = local.environment
-  name_prefix = local.name_prefix
-  region      = local.region
-  vpc_cidr    = "10.0.0.0/16"
-  tags        = local.tags
-}
\ No newline at end of file
diff --git a/tofu/environments/production/services/backend-infra/.terraform.lock.hcl b/tofu/environments/production/services/backend-infra/.terraform.lock.hcl
deleted file mode 100644
index 16bf2d314..000000000
--- a/tofu/environments/production/services/backend-infra/.terraform.lock.hcl
+++ /dev/null
@@ -1,20 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
-  constraints = ">= 4.66.1, >= 5.33.0"
-  hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
-  ]
-}
diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
deleted file mode 100644
index 93beded47..000000000
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ /dev/null
@@ -1,52 +0,0 @@
-include "root" {
-  path   = find_in_parent_folders()
-  expose = true
-}
-
-include "environment" {
-  path   = find_in_parent_folders("environment.hcl")
-  expose = true
-}
-
-terraform {
-  source = "../../../../modules/services/backend-infra"
-}
-
-dependency "vpc" {
-  config_path = "../../network/vpc"
-
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
-  mock_outputs = {
-    vpc_id                          = "mock_vpc_id"
-    subnets                         = []
-    private_subnets                 = []
-    ecr_endpoint_security_group     = "mock_sg"
-    secrets_endpoint_security_group = "mock_sg"
-    logs_endpoint_security_group    = "mock_sg"
-    database_subnet_cidrs           = ["10.0.1.0/24", "10.0.2.0/24"]
-  }
-}
-
-locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
-
-  project_tags     = include.root.locals.tags
-  environment_tags = include.environment.locals.tags
-  tags             = "${merge(local.project_tags, local.environment_tags)}"
-}
-
-inputs = {
-  environment                     = local.environment
-  name_prefix                     = local.name_prefix
-  region                          = local.region
-  vpc                             = dependency.vpc.outputs.vpc_id
-  subnets                         = dependency.vpc.outputs.private_subnets
-  ecr_endpoint_security_group     = dependency.vpc.outputs.ecr_endpoint_security_group
-  secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
-  logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
-  database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
-  ssl_cert                        = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
-  tags                            = local.tags
-}
\ No newline at end of file
diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
deleted file mode 100644
index 9db40c45d..000000000
--- a/tofu/environments/production/services/backend-service/terragrunt.hcl
+++ /dev/null
@@ -1,56 +0,0 @@
-include "root" {
-  path   = find_in_parent_folders()
-  expose = true
-}
-
-include "env" {
-  path   = find_in_parent_folders("environment.hcl")
-  expose = true
-}
-
-terraform {
-  source = "../../../../modules/services/backend-service"
-}
-
-dependency "vpc" {
-  config_path = "../../network/vpc"
-
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
-  mock_outputs = {
-    private_subnets = ["subnet-mocksubnet1234567"]
-    ecs_execution_role = "arn:aws:iam::768512802988:role/mockrolearn"
-  }
-}
-
-dependency "backend-infra" {
-  config_path = "../backend-infra"
-
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
-  mock_outputs = {
-    target_group_arn  = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
-    log_group         = "MOCK_LOGS"
-    cluster_id        = "MOCK_CLUSTER_ID"
-    security_group_id = "MOCK_SG"
-  }
-}
-
-locals {
-  environment      = include.env.locals.environment
-  name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
-  region           = include.env.locals.region
-  project_tags     = include.root.locals.tags
-  environment_tags = include.env.locals.tags
-  tags             = "${merge(local.project_tags, local.environment_tags)}"
-}
-
-inputs = {
-  name_prefix      = local.name_prefix
-  region           = local.region
-  subnets          = dependency.vpc.outputs.private_subnets
-  log_group        = dependency.backend-infra.outputs.log_group
-  target_group_arn = dependency.backend-infra.outputs.target_group_arn
-  security_group   = dependency.backend-infra.outputs.security_group_id
-  ecs_cluster      = dependency.backend-infra.outputs.cluster_id
-  task_execution_role = dependency.vpc.outputs.ecs_execution_role
-  tags             = local.tags
-}
\ No newline at end of file
diff --git a/tofu/environments/production/services/frontend/.terraform.lock.hcl b/tofu/environments/production/services/frontend/.terraform.lock.hcl
deleted file mode 100644
index b88b3b5eb..000000000
--- a/tofu/environments/production/services/frontend/.terraform.lock.hcl
+++ /dev/null
@@ -1,19 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version = "5.41.0"
-  hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
-  ]
-}
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
deleted file mode 100644
index e08624e9c..000000000
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ /dev/null
@@ -1,48 +0,0 @@
-include "root" {
-  path   = find_in_parent_folders()
-  expose = true
-}
-
-include "environment" {
-  path   = find_in_parent_folders("environment.hcl")
-  expose = true
-}
-
-terraform {
-  source = "../../../../modules/services/frontend"
-}
-
-dependency "backend" {
-  config_path = "../../services/backend-infra"
-
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
-  mock_outputs = {
-    alb_id   = "mock_alb_id"
-    dns_name = "mock_dns_name"
-    x_allow_secret = "mock_secret"
-  }
-}
-
-locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
-
-  project_tags     = include.root.locals.tags
-  environment_tags = include.environment.locals.tags
-  tags             = "${merge(local.project_tags, local.environment_tags)}"
-
-
-  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
-}
-
-inputs = {
-  environment      = local.environment
-  name_prefix      = local.name_prefix
-  region           = local.region
-  tags             = local.tags
-  ssl_cert         = local.ssl_cert
-  backend_id       = dependency.backend.outputs.alb_id
-  backend_dns_name = dependency.backend.outputs.dns_name
-  x_allow_secret = dependency.backend.outputs.x_allow_secret
-}
\ No newline at end of file
diff --git a/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl b/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
deleted file mode 100644
index b88b3b5eb..000000000
--- a/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
+++ /dev/null
@@ -1,19 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version = "5.41.0"
-  hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
-  ]
-}
diff --git a/tofu/environments/production/terraform/tfbackend/terragrunt.hcl b/tofu/environments/production/terraform/tfbackend/terragrunt.hcl
deleted file mode 100644
index 74efdd318..000000000
--- a/tofu/environments/production/terraform/tfbackend/terragrunt.hcl
+++ /dev/null
@@ -1,28 +0,0 @@
-include "root" {
-  path   = find_in_parent_folders()
-  expose = true
-}
-
-include "environment" {
-  path   = find_in_parent_folders("environment.hcl")
-  expose = true
-}
-
-terraform {
-  source = "../../../../modules/terraform/tfbackend"
-}
-
-locals {
-  bucket_name = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-state"
-  table_name  = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-locks"
-
-  project_tags     = include.root.locals.tags
-  environment_tags = include.environment.locals.tags
-  tags             = "${merge(local.project_tags, local.environment_tags)}"
-}
-
-inputs = {
-  bucket_name = local.bucket_name
-  table_name  = local.table_name
-  tags        = local.tags
-}
\ No newline at end of file

From 107fa0e883c7f8b3537d9c27e2b42187cad4d494 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 6 May 2024 13:46:39 -0400
Subject: [PATCH 205/298] validate workflow test

---
 .github/workflows/validate.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 0ae730f33..d2c7dd643 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -7,7 +7,7 @@ concurrency:
 on:
   push:
     branches:
-    - main
+    - add-tf-iac
 
 jobs:
   detect-changes:

From 1eb968e84cca18115aeadff44c348c530b1e8167 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 6 May 2024 13:49:55 -0400
Subject: [PATCH 206/298] validate workflow test

---
 .github/workflows/validate.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index d2c7dd643..107082d54 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -42,6 +42,13 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ secrets.IAM_ROLE }}
+        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{ vars.AWS_REGION }}
+
     - name: install opentofu
       uses: opentofu/setup-opentofu@v1
       with: 
@@ -84,6 +91,7 @@ jobs:
         
     - name: frontend
       working-directory: ./tofu/environments/stage/services/frontend
+      continue-on-error: true
       run: |
         terragrunt init -upgrade
         terragrunt validate

From 8a60a3f8e7c7493c155b2488e857f477d540d677 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 6 May 2024 13:54:48 -0400
Subject: [PATCH 207/298] validate workflow test

---
 .github/workflows/validate.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 107082d54..0024edfeb 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -46,7 +46,7 @@ jobs:
       uses: aws-actions/configure-aws-credentials@v4
       with:
         role-to-assume: ${{ secrets.IAM_ROLE }}
-        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
         aws-region: ${{ vars.AWS_REGION }}
 
     - name: install opentofu

From 30deb34b504065028013b7d8880c17c9fb09cacd Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 6 May 2024 13:57:20 -0400
Subject: [PATCH 208/298] validate workflow test

---
 .github/workflows/deploy-production.yml | 4 ++++
 .github/workflows/deploy-staging.yml    | 4 ++++
 .github/workflows/validate.yml          | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 96e1a1226..8ae3f3aae 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -7,6 +7,10 @@ concurrency:
 on:
   workflow_dispatch
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
 jobs:
   detect-changes:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 7296f7f34..2834195ff 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -9,6 +9,10 @@ on:
     branches:
     - main
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
 jobs:
   detect-changes:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 0024edfeb..7238ca7d8 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -9,6 +9,10 @@ on:
     branches:
     - add-tf-iac
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
 jobs:
   detect-changes:
     runs-on: ubuntu-latest

From ffe100350aeff530689fd4de083e6d6b1dac8076 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 9 May 2024 14:18:02 -0400
Subject: [PATCH 209/298] replaced hardcoded variables with environment
 variables

---
 .github/workflows/deploy-production.yml       | 28 ++++++++++++
 .github/workflows/deploy-staging.yml          | 30 ++++++++++++-
 .github/workflows/validate.yml                | 14 ++++++
 .../prod/data-store/cache/terragrunt.hcl      |  6 +--
 .../prod/data-store/database/terragrunt.hcl   |  6 +--
 .../prod/network/vpc/terragrunt.hcl           |  6 +--
 .../services/backend-infra/terragrunt.hcl     |  6 +--
 .../services/backend-service/terragrunt.hcl   | 44 ++++++++++++-------
 .../prod/services/frontend/terragrunt.hcl     |  6 +--
 .../data-store/cache/.terraform.lock.hcl      | 24 +++++-----
 .../stage/data-store/cache/terragrunt.hcl     |  6 +--
 .../data-store/database/.terraform.lock.hcl   | 26 +++++------
 .../stage/data-store/database/terragrunt.hcl  |  6 +--
 .../stage/network/vpc/terragrunt.hcl          |  6 +--
 .../services/backend-infra/terragrunt.hcl     |  6 +--
 .../backend-service/.terraform.lock.hcl       | 26 +++++------
 .../services/backend-service/terragrunt.hcl   | 44 ++++++++++++-------
 .../stage/services/frontend/terragrunt.hcl    |  6 +--
 .../terraform/tfbackend/.terraform.lock.hcl   | 43 +++++++++++++-----
 tofu/modules/data-store/cache/main.tf         |  2 -
 tofu/modules/data-store/cache/outputs.tf      |  2 +-
 tofu/modules/services/backend-infra/main.tf   |  2 +-
 tofu/modules/services/backend-service/main.tf | 26 ++++++++---
 .../services/backend-service/variables.tf     | 16 ++++---
 24 files changed, 259 insertions(+), 128 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 8ae3f3aae..d2e25b2b1 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -41,6 +41,20 @@ jobs:
     runs-on: ubuntu-latest
     environment: production
     if: needs.detect-changes.outputs.deploy-iac == 'true'
+    env:
+      TF_VAR_region: ${{ vars.AWS_REGION }}
+      TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
+      TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
+      TF_VAR_app_env: ${{ vars.APP_ENV }}
+      TF_VAR_db_encrypted_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
+      TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
+      TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
+      TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
+      TF_VAR_log_level: ${{ vars.LOG_LEVEL }}
+      TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }}
+      TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
+      TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
+      TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
     steps:
     - uses: actions/checkout@v4
 
@@ -136,6 +150,20 @@ jobs:
     runs-on: ubuntu-latest
     environment: production
     if: needs.detect-changes.outputs.deploy-backend == 'true'
+    env:
+      TF_VAR_region: ${{ vars.AWS_REGION }}
+      TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
+      TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
+      TF_VAR_app_env: ${{ vars.APP_ENV }}
+      TF_VAR_db_encrypted_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
+      TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
+      TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
+      TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
+      TF_VAR_log_level: ${{ vars.LOG_LEVEL }}
+      TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }}
+      TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
+      TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
+      TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
     steps:
     - uses: actions/checkout@v4
 
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 2834195ff..2064060e4 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -7,7 +7,7 @@ concurrency:
 on:
   push:
     branches:
-    - main
+    - add-tf-iac
 
 permissions:
   id-token: write   # This is required for requesting the JWT
@@ -43,6 +43,20 @@ jobs:
     runs-on: ubuntu-latest
     environment: staging
     if: needs.detect-changes.outputs.deploy-iac == 'true'
+    env:
+      TF_VAR_region: ${{ vars.AWS_REGION }}
+      TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
+      TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
+      TF_VAR_app_env: ${{ vars.APP_ENV }}
+      TF_VAR_db_encrypted_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
+      TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
+      TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
+      TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
+      TF_VAR_log_level: ${{ vars.LOG_LEVEL }}
+      TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }}
+      TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
+      TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
+      TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
     steps:
     - uses: actions/checkout@v4
 
@@ -138,6 +152,20 @@ jobs:
     runs-on: ubuntu-latest
     environment: staging
     if: needs.detect-changes.outputs.deploy-backend == 'true'
+    env:
+      TF_VAR_region: ${{ vars.AWS_REGION }}
+      TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
+      TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
+      TF_VAR_app_env: ${{ vars.APP_ENV }}
+      TF_VAR_db_encrypted_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
+      TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
+      TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
+      TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
+      TF_VAR_log_level: ${{ vars.LOG_LEVEL }}
+      TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }}
+      TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
+      TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
+      TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
     steps:
     - uses: actions/checkout@v4
 
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 7238ca7d8..ce5aef1d5 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -43,6 +43,20 @@ jobs:
     runs-on: ubuntu-latest
     environment: staging
     if: needs.detect-changes.outputs.validate-iac == 'true'
+    env:
+      TF_VAR_region: ${{ vars.AWS_REGION }}
+      TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
+      TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
+      TF_VAR_app_env: ${{ vars.APP_ENV }}
+      TF_VAR_db_encrypted_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
+      TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
+      TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
+      TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
+      TF_VAR_log_level: ${{ vars.LOG_LEVEL }}
+      TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }}
+      TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
+      TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
+      TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
     steps:
     - uses: actions/checkout@v4
 
diff --git a/tofu/environments/prod/data-store/cache/terragrunt.hcl b/tofu/environments/prod/data-store/cache/terragrunt.hcl
index 086987807..43a12378c 100644
--- a/tofu/environments/prod/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/prod/data-store/cache/terragrunt.hcl
@@ -33,9 +33,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/prod/data-store/database/terragrunt.hcl b/tofu/environments/prod/data-store/database/terragrunt.hcl
index 6a8a0a46a..34ace89dd 100644
--- a/tofu/environments/prod/data-store/database/terragrunt.hcl
+++ b/tofu/environments/prod/data-store/database/terragrunt.hcl
@@ -41,9 +41,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/prod/network/vpc/terragrunt.hcl b/tofu/environments/prod/network/vpc/terragrunt.hcl
index edae031a7..bb872d6e8 100644
--- a/tofu/environments/prod/network/vpc/terragrunt.hcl
+++ b/tofu/environments/prod/network/vpc/terragrunt.hcl
@@ -13,9 +13,9 @@ terraform {
 }
 
 locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/prod/services/backend-infra/terragrunt.hcl b/tofu/environments/prod/services/backend-infra/terragrunt.hcl
index a3db7f744..8fd3930f8 100644
--- a/tofu/environments/prod/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/prod/services/backend-infra/terragrunt.hcl
@@ -28,9 +28,9 @@ dependency "vpc" {
 }
 
 locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/prod/services/backend-service/terragrunt.hcl b/tofu/environments/prod/services/backend-service/terragrunt.hcl
index a60e54cad..f87af8753 100644
--- a/tofu/environments/prod/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/prod/services/backend-service/terragrunt.hcl
@@ -43,12 +43,24 @@ dependency "database" {
   }
 }
 
+dependency "cache" {
+  config_path = "../../data-store/cache"
+
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
+  mock_outputs = {
+    redis_endpoint = "mockcache.serverless.use1.cache.amazonaws.com"
+  }
+}
+
 locals {
-  project          = include.root.locals.project
-  environment      = include.env.locals.environment
-  short_name       = include.root.locals.short_name
-  name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
-  region           = include.env.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
+  //project          = include.root.locals.project
+  //environment      = include.env.locals.environment
+  short_name = include.root.locals.short_name
+  //name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
+  //region           = include.env.locals.region
   project_tags     = include.root.locals.tags
   environment_tags = include.env.locals.tags
   tags             = "${merge(local.project_tags, local.environment_tags)}"
@@ -63,17 +75,19 @@ inputs = {
   security_group      = dependency.backend-infra.outputs.security_group_id
   ecs_cluster         = dependency.backend-infra.outputs.cluster_id
   task_execution_role = dependency.vpc.outputs.ecs_execution_role
-  frontend_url        = "https://${local.project}.day"
-  short_base_url      = "https://${local.short_name}.day"
-  app_env             = local.environment
-  sentry_dsn          = "https://5dddca3ecc964284bb8008bc2beef808@o4505428107853824.ingest.sentry.io/4505428124827648"
-  zoom_auth_callback  = "https://${local.project}.day/api/v1/zoom/callback"
+  frontend_url        = get_env("frontend_url")   //"https://${local.project}.day"
+  short_base_url      = get_env("short_base_url") //"https://${local.short_name}.day"
+  app_env             = get_env("app_env")        //local.environment
+  sentry_dsn          = get_env("sentry_dsn")     //"https://5dddca3ecc964284bb8008bc2beef808@o4505428107853824.ingest.sentry.io/4505428124827648"
+  zoom_auth_callback  = get_env("zoom_callback")  //"https://${local.project}.day/api/v1/zoom/callback"
   short_name          = local.short_name
   database_secret     = dependency.database.outputs.db_secret
-  db_enc_secret       = "arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-production-db-secret-xcaWVh"
-  smtp_secret         = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
-  google_oauth_secret = "arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-production-google-cal-oauth-8x5LUO"
-  zoom_secret         = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
-  fxa_secret          = "arn:aws:secretsmanager:us-east-1:768512802988:secret:prod/appointment/fxa-lRA3qx"
+  db_enc_secret       = get_env("db_enc_secret")       //"arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-production-db-secret-xcaWVh"
+  smtp_secret         = get_env("smtp_secret")         //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
+  google_oauth_secret = get_env("google_oauth_secret") //"arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-production-google-cal-oauth-8x5LUO"
+  zoom_secret         = get_env("zoom_secret")         //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
+  fxa_secret          = get_env("fxa_secret")          //"arn:aws:secretsmanager:us-east-1:768512802988:secret:prod/appointment/fxa-lRA3qx"
+  redis_endpoint      = dependency.cache.outputs.endpoint
+  log_level           = get_env("log_level")
   tags                = local.tags
 }
\ No newline at end of file
diff --git a/tofu/environments/prod/services/frontend/terragrunt.hcl b/tofu/environments/prod/services/frontend/terragrunt.hcl
index b03265193..dc35e3bf4 100644
--- a/tofu/environments/prod/services/frontend/terragrunt.hcl
+++ b/tofu/environments/prod/services/frontend/terragrunt.hcl
@@ -24,9 +24,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/stage/data-store/cache/.terraform.lock.hcl b/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
index 8d8208be0..280be643a 100644
--- a/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
+++ b/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.46.0"
+  version     = "5.48.0"
   constraints = ">= 5.46.0"
   hashes = [
-    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
-    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
-    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
-    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
-    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
-    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
-    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
-    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
-    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
-    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
-    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+    "h1:UL6B4QXA/ENh05gOYhJGAUWKvgVRhfmnzqQMobSEh9A=",
+    "zh:212b33b4270a4f20025dec83b181b0e8044ef382491e0c89ad07c64d6dfacff0",
+    "zh:2dd2dadd6fc8752edb6241bdac1bdd49ce64384527dc335a021d61d3870a0393",
+    "zh:3d449e369958ab3d0afe2db6be5de22061f8635fe176771c98af41a7f770f1b5",
+    "zh:3dd6ca9a102c6164683800d8b1b5def29a51d575b5223063961125de81cca136",
+    "zh:422586cf2ea78f8464c97b95f153acdc84b660b2eb474a100338e360593e2d84",
+    "zh:70ea10113b724cc69f83e2c1fd65d7d304aaf6bd9f6a45cd1622a5f36506690c",
+    "zh:84a48c4a7eb8498beb9f5d78bef5e58516e11a8df131042fb43d3dec62dc899b",
+    "zh:9724c095fb8d8d7695769a828e6cc0de95da264487c91af39a645713b293323c",
+    "zh:ad9117ef8c7fd8e26aab482a286aa2e641e4887d1816117caa1fd7eaff6a050c",
+    "zh:ff32af11624e5104fd4ddd38cecd1beb09da9a7be7f49b0d496080667882b90e",
   ]
 }
 
diff --git a/tofu/environments/stage/data-store/cache/terragrunt.hcl b/tofu/environments/stage/data-store/cache/terragrunt.hcl
index 086987807..43a12378c 100644
--- a/tofu/environments/stage/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/cache/terragrunt.hcl
@@ -33,9 +33,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/stage/data-store/database/.terraform.lock.hcl b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
index a0ce2ccea..df201a5a9 100644
--- a/tofu/environments/stage/data-store/database/.terraform.lock.hcl
+++ b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.46.0"
-  constraints = ">= 5.36.0, >= 5.46.0"
+  version     = "5.48.0"
+  constraints = ">= 5.46.0, >= 5.47.0"
   hashes = [
-    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
-    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
-    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
-    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
-    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
-    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
-    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
-    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
-    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
-    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
-    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+    "h1:UL6B4QXA/ENh05gOYhJGAUWKvgVRhfmnzqQMobSEh9A=",
+    "zh:212b33b4270a4f20025dec83b181b0e8044ef382491e0c89ad07c64d6dfacff0",
+    "zh:2dd2dadd6fc8752edb6241bdac1bdd49ce64384527dc335a021d61d3870a0393",
+    "zh:3d449e369958ab3d0afe2db6be5de22061f8635fe176771c98af41a7f770f1b5",
+    "zh:3dd6ca9a102c6164683800d8b1b5def29a51d575b5223063961125de81cca136",
+    "zh:422586cf2ea78f8464c97b95f153acdc84b660b2eb474a100338e360593e2d84",
+    "zh:70ea10113b724cc69f83e2c1fd65d7d304aaf6bd9f6a45cd1622a5f36506690c",
+    "zh:84a48c4a7eb8498beb9f5d78bef5e58516e11a8df131042fb43d3dec62dc899b",
+    "zh:9724c095fb8d8d7695769a828e6cc0de95da264487c91af39a645713b293323c",
+    "zh:ad9117ef8c7fd8e26aab482a286aa2e641e4887d1816117caa1fd7eaff6a050c",
+    "zh:ff32af11624e5104fd4ddd38cecd1beb09da9a7be7f49b0d496080667882b90e",
   ]
 }
 
diff --git a/tofu/environments/stage/data-store/database/terragrunt.hcl b/tofu/environments/stage/data-store/database/terragrunt.hcl
index 5375f95df..96fd54234 100644
--- a/tofu/environments/stage/data-store/database/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/database/terragrunt.hcl
@@ -42,9 +42,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/stage/network/vpc/terragrunt.hcl b/tofu/environments/stage/network/vpc/terragrunt.hcl
index edae031a7..bb872d6e8 100644
--- a/tofu/environments/stage/network/vpc/terragrunt.hcl
+++ b/tofu/environments/stage/network/vpc/terragrunt.hcl
@@ -13,9 +13,9 @@ terraform {
 }
 
 locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/stage/services/backend-infra/terragrunt.hcl b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
index 6441d796d..29dd99171 100644
--- a/tofu/environments/stage/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
@@ -28,9 +28,9 @@ dependency "vpc" {
 }
 
 locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/stage/services/backend-service/.terraform.lock.hcl b/tofu/environments/stage/services/backend-service/.terraform.lock.hcl
index 1a0a0b239..280be643a 100644
--- a/tofu/environments/stage/services/backend-service/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/backend-service/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.46.0"
-  constraints = ">= 5.40.0"
+  version     = "5.48.0"
+  constraints = ">= 5.46.0"
   hashes = [
-    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
-    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
-    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
-    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
-    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
-    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
-    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
-    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
-    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
-    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
-    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+    "h1:UL6B4QXA/ENh05gOYhJGAUWKvgVRhfmnzqQMobSEh9A=",
+    "zh:212b33b4270a4f20025dec83b181b0e8044ef382491e0c89ad07c64d6dfacff0",
+    "zh:2dd2dadd6fc8752edb6241bdac1bdd49ce64384527dc335a021d61d3870a0393",
+    "zh:3d449e369958ab3d0afe2db6be5de22061f8635fe176771c98af41a7f770f1b5",
+    "zh:3dd6ca9a102c6164683800d8b1b5def29a51d575b5223063961125de81cca136",
+    "zh:422586cf2ea78f8464c97b95f153acdc84b660b2eb474a100338e360593e2d84",
+    "zh:70ea10113b724cc69f83e2c1fd65d7d304aaf6bd9f6a45cd1622a5f36506690c",
+    "zh:84a48c4a7eb8498beb9f5d78bef5e58516e11a8df131042fb43d3dec62dc899b",
+    "zh:9724c095fb8d8d7695769a828e6cc0de95da264487c91af39a645713b293323c",
+    "zh:ad9117ef8c7fd8e26aab482a286aa2e641e4887d1816117caa1fd7eaff6a050c",
+    "zh:ff32af11624e5104fd4ddd38cecd1beb09da9a7be7f49b0d496080667882b90e",
   ]
 }
 
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index 39d7ee0a0..2b82c94a0 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -43,12 +43,24 @@ dependency "database" {
   }
 }
 
+dependency "cache" {
+  config_path = "../../data-store/cache"
+
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
+  mock_outputs = {
+    redis_endpoint = "mockcache.serverless.use1.cache.amazonaws.com"
+  }
+}
+
 locals {
-  project          = include.root.locals.project
-  environment      = include.env.locals.environment
-  short_name       = include.root.locals.short_name
-  name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
-  region           = include.env.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
+  project     = include.root.locals.project
+  //environment      = include.env.locals.environment
+  short_name = include.root.locals.short_name
+  //name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
+  //region           = include.env.locals.region
   project_tags     = include.root.locals.tags
   environment_tags = include.env.locals.tags
   tags             = "${merge(local.project_tags, local.environment_tags)}"
@@ -63,17 +75,19 @@ inputs = {
   security_group      = dependency.backend-infra.outputs.security_group_id
   ecs_cluster         = dependency.backend-infra.outputs.cluster_id
   task_execution_role = dependency.vpc.outputs.ecs_execution_role
-  frontend_url        = "https://${local.environment}.${local.project}.day"
-  short_base_url      = "https://${local.environment}.${local.short_name}.day"
-  app_env             = local.environment
-  sentry_dsn          = "https://5dddca3ecc964284bb8008bc2beef808@o4505428107853824.ingest.sentry.io/4505428124827648"
-  zoom_auth_callback  = "https://${local.environment}.${local.project}.day/api/v1/zoom/callback"
+  frontend_url        = get_env("frontend_url")   //"https://${local.project}.day"
+  short_base_url      = get_env("short_base_url") //"https://${local.short_name}.day"
+  app_env             = get_env("app_env")        //local.environment
+  sentry_dsn          = get_env("sentry_dsn")     //"https://5dddca3ecc964284bb8008bc2beef808@o4505428107853824.ingest.sentry.io/4505428124827648"
+  zoom_auth_callback  = get_env("zoom_callback")  //"https://${local.project}.day/api/v1/zoom/callback"
   short_name          = local.short_name
   database_secret     = dependency.database.outputs.db_secret
-  db_enc_secret       = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-secret-CYKglI"
-  smtp_secret         = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
-  google_oauth_secret = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/google-cal-oauth-VevaSo"
-  zoom_secret         = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
-  fxa_secret          = "arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/fxa-fxa-7koQF0"
+  db_enc_secret       = get_env("db_enc_secret")       //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-secret-CYKglI"
+  smtp_secret         = get_env("smtp_secret")         //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
+  google_oauth_secret = get_env("google_oauth_secret") //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/google-cal-oauth-VevaSo"
+  zoom_secret         = get_env("zoom_secret")         //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
+  fxa_secret          = get_env("fxa_secret")          //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/fxa-fxa-7koQF0"
+  log_level           = get_env("log_level")
+  redis_endpoint      = dependency.cache.outputs.endpoint
   tags                = local.tags
 }
\ No newline at end of file
diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
index b03265193..dc35e3bf4 100644
--- a/tofu/environments/stage/services/frontend/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -24,9 +24,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
+  environment = get_env("environment")
+  name_prefix = get_env("name_prefix")
+  region      = get_env("region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl b/tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl
index b88b3b5eb..280be643a 100644
--- a/tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl
+++ b/tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl
@@ -2,18 +2,37 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version = "5.41.0"
+  version     = "5.48.0"
+  constraints = ">= 5.46.0"
   hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+    "h1:UL6B4QXA/ENh05gOYhJGAUWKvgVRhfmnzqQMobSEh9A=",
+    "zh:212b33b4270a4f20025dec83b181b0e8044ef382491e0c89ad07c64d6dfacff0",
+    "zh:2dd2dadd6fc8752edb6241bdac1bdd49ce64384527dc335a021d61d3870a0393",
+    "zh:3d449e369958ab3d0afe2db6be5de22061f8635fe176771c98af41a7f770f1b5",
+    "zh:3dd6ca9a102c6164683800d8b1b5def29a51d575b5223063961125de81cca136",
+    "zh:422586cf2ea78f8464c97b95f153acdc84b660b2eb474a100338e360593e2d84",
+    "zh:70ea10113b724cc69f83e2c1fd65d7d304aaf6bd9f6a45cd1622a5f36506690c",
+    "zh:84a48c4a7eb8498beb9f5d78bef5e58516e11a8df131042fb43d3dec62dc899b",
+    "zh:9724c095fb8d8d7695769a828e6cc0de95da264487c91af39a645713b293323c",
+    "zh:ad9117ef8c7fd8e26aab482a286aa2e641e4887d1816117caa1fd7eaff6a050c",
+    "zh:ff32af11624e5104fd4ddd38cecd1beb09da9a7be7f49b0d496080667882b90e",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version     = "3.6.1"
+  constraints = ">= 3.6.1"
+  hashes = [
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
   ]
 }
diff --git a/tofu/modules/data-store/cache/main.tf b/tofu/modules/data-store/cache/main.tf
index 7d980daeb..6efa74c90 100644
--- a/tofu/modules/data-store/cache/main.tf
+++ b/tofu/modules/data-store/cache/main.tf
@@ -2,10 +2,8 @@ resource "aws_elasticache_serverless_cache" "redis" {
   engine = "redis"
   name   = "${var.name_prefix}-redis"
 
-  daily_snapshot_time      = "09:00"
   description              = "Appointment Caches"
   major_engine_version     = "7"
-  snapshot_retention_limit = 1
   security_group_ids       = [aws_security_group.redis.id]
   subnet_ids               = var.subnets
 
diff --git a/tofu/modules/data-store/cache/outputs.tf b/tofu/modules/data-store/cache/outputs.tf
index e0709318a..11b9ffd44 100644
--- a/tofu/modules/data-store/cache/outputs.tf
+++ b/tofu/modules/data-store/cache/outputs.tf
@@ -1,5 +1,5 @@
 output "endpoint" {
-  value = aws_elasticache_serverless_cache.redis.endpoint
+  value = aws_elasticache_serverless_cache.redis.endpoint.0.address
 }
 
 output "security_group_id" {
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 4b2e4d0a6..ba46170ba 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -152,7 +152,7 @@ module "backend_alb" {
       health_check = {
         enabled             = true
         healthy_threshold   = 2
-        interval            = 10
+        interval            = 60
         matcher             = "200"
         path                = "/"
         port                = "traffic-port"
diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index adb46ed6f..3fc8800f8 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -72,7 +72,7 @@ resource "aws_ecs_task_definition" "backend" {
         },
         {
           "name" : "LOG_LEVEL",
-          "value" : "INFO"
+          "value" : "var.log_level"
         },
         {
           "name" : "APP_ENV",
@@ -105,32 +105,44 @@ resource "aws_ecs_task_definition" "backend" {
         {
           "name" : "JWT_EXPIRE_IN_MINS",
           "value" : "10000"
+        },
+        {
+          "name": "REDIS_URL",
+          "value": var.redis_endpoint
+        },
+        {
+          "name": "REDIS_PORT",
+          "value": "6379"
+        },
+        {
+          "name": "REDIS_DB",
+          "value": "0"
         }
       ],
       secrets = [
         {
           "name" : "DATABASE_SECRETS",
-          "valueFrom" : var.database_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-stage-db-secret-V0syHj"
+          "valueFrom" : var.database_secret
         },
         {
           "name" : "DB_ENC_SECRET",
-          "valueFrom" : var.db_enc_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-secret-CYKglI"
+          "valueFrom" : var.db_enc_secret
         },
         {
           "name" : "SMTP_SECRETS",
-          "valueFrom" : var.smtp_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
+          "valueFrom" : var.smtp_secret
         },
         {
           "name" : "GOOGLE_OAUTH_SECRETS",
-          "valueFrom" : var.google_oauth_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/google-cal-oauth-VevaSo"
+          "valueFrom" : var.google_oauth_secret
         },
         {
           "name" : "ZOOM_SECRETS",
-          "valueFrom" : var.zoom_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
+          "valueFrom" : var.zoom_secret
         },
         {
           "name" : "FXA_SECRETS",
-          "valueFrom" : var.fxa_secret //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/fxa-7koQF0"
+          "valueFrom" : var.fxa_secret
         }
       ],
       logConfiguration = {
diff --git a/tofu/modules/services/backend-service/variables.tf b/tofu/modules/services/backend-service/variables.tf
index 6d9054ab3..cacfd8fc7 100644
--- a/tofu/modules/services/backend-service/variables.tf
+++ b/tofu/modules/services/backend-service/variables.tf
@@ -81,35 +81,39 @@ variable "zoom_auth_callback" {
 variable "database_secret" {
   description = "Database secret ARN"
   type        = string
-  sensitive = true
 }
 
 variable "db_enc_secret" {
   description = "DB encryped secret ARN"
   type        = string
-  sensitive = true
 }
 
 variable "smtp_secret" {
   description = "smtp connection info"
   type        = string
-  sensitive = true
 }
 
 variable "google_oauth_secret" {
   description = "Google OAUTH secret ARN"
   type        = string
-  sensitive = true
 }
 
 variable "zoom_secret" {
   description = "Zoom secret ARN"
   type        = string
-  sensitive = true
 }
 
 variable "fxa_secret" {
   description = "FXA secret ARN"
   type        = string
-  sensitive = true
+}
+
+variable "redis_endpoint" {
+  description = "Redis cache endpoint"
+  type = string
+}
+
+variable "log_level" {
+  description = "application logging level"
+  type = string
 }
\ No newline at end of file

From 3be7a4de37d91efe74aba751f955a79279d3912e Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 9 May 2024 14:27:32 -0400
Subject: [PATCH 210/298] confirming environment variables

---
 .github/workflows/deploy-staging.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 2064060e4..dfc16f499 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -82,6 +82,7 @@ jobs:
     - name: vpc
       working-directory: ./tofu/environments/stage/network/vpc
       run: |
+        printenv
         terragrunt init -upgrade
         terragrunt validate
         terragrunt plan -out tfplan

From aae4dcdea586bc5151d309be5eb7fcc0b1b08281 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 9 May 2024 14:38:51 -0400
Subject: [PATCH 211/298] confirming environment variables

---
 .../prod/data-store/cache/terragrunt.hcl      |  6 ++---
 .../prod/data-store/database/terragrunt.hcl   |  6 ++---
 .../prod/network/vpc/terragrunt.hcl           |  6 ++---
 .../services/backend-infra/terragrunt.hcl     |  6 ++---
 .../services/backend-service/terragrunt.hcl   |  6 ++---
 .../prod/services/frontend/terragrunt.hcl     |  6 ++---
 .../stage/data-store/cache/terragrunt.hcl     |  6 ++---
 .../stage/data-store/database/terragrunt.hcl  |  6 ++---
 .../stage/network/vpc/.terraform.lock.hcl     | 24 +++++++++----------
 .../stage/network/vpc/terragrunt.hcl          |  6 ++---
 .../services/backend-infra/terragrunt.hcl     |  6 ++---
 .../services/backend-service/terragrunt.hcl   |  6 ++---
 .../stage/services/frontend/terragrunt.hcl    |  6 ++---
 13 files changed, 48 insertions(+), 48 deletions(-)

diff --git a/tofu/environments/prod/data-store/cache/terragrunt.hcl b/tofu/environments/prod/data-store/cache/terragrunt.hcl
index 43a12378c..c7d578ca3 100644
--- a/tofu/environments/prod/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/prod/data-store/cache/terragrunt.hcl
@@ -33,9 +33,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/prod/data-store/database/terragrunt.hcl b/tofu/environments/prod/data-store/database/terragrunt.hcl
index 34ace89dd..77a7ac842 100644
--- a/tofu/environments/prod/data-store/database/terragrunt.hcl
+++ b/tofu/environments/prod/data-store/database/terragrunt.hcl
@@ -41,9 +41,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/prod/network/vpc/terragrunt.hcl b/tofu/environments/prod/network/vpc/terragrunt.hcl
index bb872d6e8..f3bac5f91 100644
--- a/tofu/environments/prod/network/vpc/terragrunt.hcl
+++ b/tofu/environments/prod/network/vpc/terragrunt.hcl
@@ -13,9 +13,9 @@ terraform {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/prod/services/backend-infra/terragrunt.hcl b/tofu/environments/prod/services/backend-infra/terragrunt.hcl
index 8fd3930f8..4b1289993 100644
--- a/tofu/environments/prod/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/prod/services/backend-infra/terragrunt.hcl
@@ -28,9 +28,9 @@ dependency "vpc" {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/prod/services/backend-service/terragrunt.hcl b/tofu/environments/prod/services/backend-service/terragrunt.hcl
index f87af8753..d2434b8a5 100644
--- a/tofu/environments/prod/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/prod/services/backend-service/terragrunt.hcl
@@ -53,9 +53,9 @@ dependency "cache" {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
   //project          = include.root.locals.project
   //environment      = include.env.locals.environment
   short_name = include.root.locals.short_name
diff --git a/tofu/environments/prod/services/frontend/terragrunt.hcl b/tofu/environments/prod/services/frontend/terragrunt.hcl
index dc35e3bf4..18074bd2b 100644
--- a/tofu/environments/prod/services/frontend/terragrunt.hcl
+++ b/tofu/environments/prod/services/frontend/terragrunt.hcl
@@ -24,9 +24,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/stage/data-store/cache/terragrunt.hcl b/tofu/environments/stage/data-store/cache/terragrunt.hcl
index 43a12378c..c7d578ca3 100644
--- a/tofu/environments/stage/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/cache/terragrunt.hcl
@@ -33,9 +33,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/stage/data-store/database/terragrunt.hcl b/tofu/environments/stage/data-store/database/terragrunt.hcl
index 96fd54234..0275cd2d0 100644
--- a/tofu/environments/stage/data-store/database/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/database/terragrunt.hcl
@@ -42,9 +42,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/stage/network/vpc/.terraform.lock.hcl b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
index fce9acaad..028c81819 100644
--- a/tofu/environments/stage/network/vpc/.terraform.lock.hcl
+++ b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.46.0"
+  version     = "5.48.0"
   constraints = ">= 4.0.0, >= 5.30.0, >= 5.46.0"
   hashes = [
-    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
-    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
-    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
-    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
-    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
-    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
-    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
-    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
-    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
-    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
-    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+    "h1:UL6B4QXA/ENh05gOYhJGAUWKvgVRhfmnzqQMobSEh9A=",
+    "zh:212b33b4270a4f20025dec83b181b0e8044ef382491e0c89ad07c64d6dfacff0",
+    "zh:2dd2dadd6fc8752edb6241bdac1bdd49ce64384527dc335a021d61d3870a0393",
+    "zh:3d449e369958ab3d0afe2db6be5de22061f8635fe176771c98af41a7f770f1b5",
+    "zh:3dd6ca9a102c6164683800d8b1b5def29a51d575b5223063961125de81cca136",
+    "zh:422586cf2ea78f8464c97b95f153acdc84b660b2eb474a100338e360593e2d84",
+    "zh:70ea10113b724cc69f83e2c1fd65d7d304aaf6bd9f6a45cd1622a5f36506690c",
+    "zh:84a48c4a7eb8498beb9f5d78bef5e58516e11a8df131042fb43d3dec62dc899b",
+    "zh:9724c095fb8d8d7695769a828e6cc0de95da264487c91af39a645713b293323c",
+    "zh:ad9117ef8c7fd8e26aab482a286aa2e641e4887d1816117caa1fd7eaff6a050c",
+    "zh:ff32af11624e5104fd4ddd38cecd1beb09da9a7be7f49b0d496080667882b90e",
   ]
 }
 
diff --git a/tofu/environments/stage/network/vpc/terragrunt.hcl b/tofu/environments/stage/network/vpc/terragrunt.hcl
index bb872d6e8..f3bac5f91 100644
--- a/tofu/environments/stage/network/vpc/terragrunt.hcl
+++ b/tofu/environments/stage/network/vpc/terragrunt.hcl
@@ -13,9 +13,9 @@ terraform {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/stage/services/backend-infra/terragrunt.hcl b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
index 29dd99171..7a4aeac5a 100644
--- a/tofu/environments/stage/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-infra/terragrunt.hcl
@@ -28,9 +28,9 @@ dependency "vpc" {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index 2b82c94a0..af5308d57 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -53,9 +53,9 @@ dependency "cache" {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
   project     = include.root.locals.project
   //environment      = include.env.locals.environment
   short_name = include.root.locals.short_name
diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend/terragrunt.hcl
index dc35e3bf4..18074bd2b 100644
--- a/tofu/environments/stage/services/frontend/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend/terragrunt.hcl
@@ -24,9 +24,9 @@ dependency "backend" {
 }
 
 locals {
-  environment = get_env("environment")
-  name_prefix = get_env("name_prefix")
-  region      = get_env("region")
+  environment = get_env("TF_VAR_environment")
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags

From 63c16725f69365cc558d9cbe78b4b7c930c28455 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 9 May 2024 15:27:09 -0400
Subject: [PATCH 212/298] testing create_before_destroy

---
 tofu/modules/network/vpc/main.tf | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tofu/modules/network/vpc/main.tf b/tofu/modules/network/vpc/main.tf
index 015a96f36..587698c6d 100644
--- a/tofu/modules/network/vpc/main.tf
+++ b/tofu/modules/network/vpc/main.tf
@@ -227,6 +227,10 @@ resource "aws_security_group" "ecr_endpoint" {
   tags = merge(var.tags, {
     Name = "${var.name_prefix}-ecr-endpoint"
   })
+  lifecycle {
+    create_before_destroy = true
+  }
+
 }
 
 resource "aws_security_group_rule" "ecr_endpoint_ingress" {
@@ -246,6 +250,10 @@ resource "aws_security_group" "secrets_endpoint" {
   tags = merge(var.tags, {
     Name = "${var.name_prefix}-secrets-endpoint"
   })
+  lifecycle {
+    create_before_destroy = true
+  }
+
 }
 
 resource "aws_security_group_rule" "secrets_endpoint_ingress" {
@@ -265,6 +273,10 @@ resource "aws_security_group" "logs_endpoint" {
   tags = merge(var.tags, {
     Name = "${var.name_prefix}-logs-endpoint"
   })
+  lifecycle {
+    create_before_destroy = true
+  }
+
 }
 
 resource "aws_security_group_rule" "logs_endpoint_ingress" {

From 4cdf2168d95357f5da221e0c878a006de8d9ae1f Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 9 May 2024 15:39:16 -0400
Subject: [PATCH 213/298] actions fixes

---
 .github/workflows/deploy-production.yml | 26 ++++++++++++++-----------
 .github/workflows/deploy-staging.yml    | 26 ++++++++++++++-----------
 2 files changed, 30 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index d2e25b2b1..5cf65fc42 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -38,9 +38,9 @@ jobs:
 
   deploy-iac:
     needs: detect-changes
-    runs-on: ubuntu-latest
-    environment: production
     if: needs.detect-changes.outputs.deploy-iac == 'true'
+    environment: production
+    runs-on: ubuntu-latest
     env:
       TF_VAR_region: ${{ vars.AWS_REGION }}
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
@@ -118,10 +118,12 @@ jobs:
         terragrunt apply tfplan
 
   deploy-frontend:
-    needs: detect-changes
-    runs-on: ubuntu-latest
-    environment: production
+    needs:
+      - detect-changes
+      - deploy-iac
     if: needs.detect-changes.outputs.deploy-frontend == 'true'
+    environment: production
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
 
@@ -135,7 +137,7 @@ jobs:
 
     - name: Build project
       run: |
-        cp frontend/.env.${{ vars.APP_ENV }}.example frontend/.env.${{ vars.APP_ENV }}
+        cp frontend/.env.prod.example frontend/.env.prod
         cd frontend && yarn build --mode ${{ vars.APP_ENV }}
 
     - name: Configure AWS credentials
@@ -145,11 +147,13 @@ jobs:
         role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
         aws-region: ${{ vars.AWS_REGION }}
 
-  deploy-backend:
-    needs: detect-changes
-    runs-on: ubuntu-latest
-    environment: production
+  deploy-backend-service:
+    needs:
+      - detect-changes
+      - deploy-iac
     if: needs.detect-changes.outputs.deploy-backend == 'true'
+    environment: production
+    runs-on: ubuntu-latest
     env:
       TF_VAR_region: ${{ vars.AWS_REGION }}
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
@@ -195,7 +199,7 @@ jobs:
     - name: Build, tag, and push backend image to Amazon ECR
       id: build-backend
       env:
-        ECR_TAG: '${{ steps.login-ecr.outputs.registry }}/$${{ vars.PROJECT }}:backend-${{ github.sha }}'
+        ECR_TAG: '${{ steps.login-ecr.outputs.registry }}/${{ vars.PROJECT }}:backend-${{ github.sha }}'
       run: |
         # Build a docker container and
         # push it to ECR so that it can
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index dfc16f499..28138a3e1 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -40,9 +40,9 @@ jobs:
 
   deploy-iac:
     needs: detect-changes
-    runs-on: ubuntu-latest
-    environment: staging
     if: needs.detect-changes.outputs.deploy-iac == 'true'
+    environment: staging
+    runs-on: ubuntu-latest
     env:
       TF_VAR_region: ${{ vars.AWS_REGION }}
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
@@ -121,10 +121,12 @@ jobs:
         terragrunt apply tfplan
 
   deploy-frontend:
-    needs: detect-changes
-    runs-on: ubuntu-latest
-    environment: staging
+    needs:
+      - detect-changes
+      - deploy-iac
     if: needs.detect-changes.outputs.deploy-frontend == 'true'
+    environment: staging
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
 
@@ -138,7 +140,7 @@ jobs:
 
     - name: Build project
       run: |
-        cp frontend/.env.${{ vars.APP_ENV }}.example frontend/.env.${{ vars.APP_ENV }}
+        cp frontend/.env.staging.example frontend/.env.staging
         cd frontend && yarn build --mode ${{ vars.APP_ENV }}
 
     - name: Configure AWS credentials
@@ -148,11 +150,13 @@ jobs:
         role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
         aws-region: ${{ vars.AWS_REGION }}
 
-  deploy-backend:
-    needs: detect-changes
-    runs-on: ubuntu-latest
-    environment: staging
+  deploy-backend-service:
+    needs: 
+      - detect-changes
+      - deploy-iac
     if: needs.detect-changes.outputs.deploy-backend == 'true'
+    environment: staging
+    runs-on: ubuntu-latest
     env:
       TF_VAR_region: ${{ vars.AWS_REGION }}
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
@@ -198,7 +202,7 @@ jobs:
     - name: Build, tag, and push backend image to Amazon ECR
       id: build-backend
       env:
-        ECR_TAG: '${{ steps.login-ecr.outputs.registry }}/$${{ vars.PROJECT }}:backend-${{ github.sha }}'
+        ECR_TAG: '${{ steps.login-ecr.outputs.registry }}/${{ vars.PROJECT }}:backend-${{ github.sha }}'
       run: |
         # Build a docker container and
         # push it to ECR so that it can

From 802e24fd1293c224c7f685507903785c174ed8f2 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 09:40:50 -0400
Subject: [PATCH 214/298] multiple minor fixes

---
 .../data-store/cache/.terraform.lock.hcl      | 24 +++++++++----------
 .../stage/data-store/database/terragrunt.hcl  |  4 +++-
 .../services/frontend/.terraform.lock.hcl     | 24 +++++++++----------
 tofu/modules/data-store/database/main.tf      |  3 +++
 tofu/modules/data-store/database/variables.tf |  5 ++++
 tofu/modules/network/vpc/main.tf              |  2 +-
 tofu/modules/services/frontend/main.tf        | 10 ++++----
 7 files changed, 41 insertions(+), 31 deletions(-)

diff --git a/tofu/environments/stage/data-store/cache/.terraform.lock.hcl b/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
index 280be643a..fa8ff69df 100644
--- a/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
+++ b/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.48.0"
+  version     = "5.49.0"
   constraints = ">= 5.46.0"
   hashes = [
-    "h1:UL6B4QXA/ENh05gOYhJGAUWKvgVRhfmnzqQMobSEh9A=",
-    "zh:212b33b4270a4f20025dec83b181b0e8044ef382491e0c89ad07c64d6dfacff0",
-    "zh:2dd2dadd6fc8752edb6241bdac1bdd49ce64384527dc335a021d61d3870a0393",
-    "zh:3d449e369958ab3d0afe2db6be5de22061f8635fe176771c98af41a7f770f1b5",
-    "zh:3dd6ca9a102c6164683800d8b1b5def29a51d575b5223063961125de81cca136",
-    "zh:422586cf2ea78f8464c97b95f153acdc84b660b2eb474a100338e360593e2d84",
-    "zh:70ea10113b724cc69f83e2c1fd65d7d304aaf6bd9f6a45cd1622a5f36506690c",
-    "zh:84a48c4a7eb8498beb9f5d78bef5e58516e11a8df131042fb43d3dec62dc899b",
-    "zh:9724c095fb8d8d7695769a828e6cc0de95da264487c91af39a645713b293323c",
-    "zh:ad9117ef8c7fd8e26aab482a286aa2e641e4887d1816117caa1fd7eaff6a050c",
-    "zh:ff32af11624e5104fd4ddd38cecd1beb09da9a7be7f49b0d496080667882b90e",
+    "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=",
+    "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794",
+    "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1",
+    "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0",
+    "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881",
+    "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971",
+    "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b",
+    "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853",
+    "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e",
+    "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa",
+    "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981",
   ]
 }
 
diff --git a/tofu/environments/stage/data-store/database/terragrunt.hcl b/tofu/environments/stage/data-store/database/terragrunt.hcl
index 0275cd2d0..779a2c4d0 100644
--- a/tofu/environments/stage/data-store/database/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/database/terragrunt.hcl
@@ -19,6 +19,7 @@ dependency "vpc" {
   mock_outputs = {
     vpc_id                = "mock_vpc_id"
     database_subnet_group = "mock_subnet_group"
+    database_subnets = []
 
   }
 }
@@ -56,7 +57,8 @@ inputs = {
   name_prefix                = local.name_prefix
   region                     = local.region
   vpc                        = dependency.vpc.outputs.vpc_id
-  subnet_group               = dependency.vpc.outputs.database_subnet_group
+  subnet_group               = local.name_prefix //dependency.vpc.outputs.database_subnet_group
+  database_subnets = dependency.vpc.outputs.database_subnets
   elasticache_security_group = dependency.cache.outputs.security_group_id
   backend_security_group     = dependency.backend.outputs.security_group_id
   database_secret            = "arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-stage-db-secret-V0syHj"
diff --git a/tofu/environments/stage/services/frontend/.terraform.lock.hcl b/tofu/environments/stage/services/frontend/.terraform.lock.hcl
index 8d8208be0..fa8ff69df 100644
--- a/tofu/environments/stage/services/frontend/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/frontend/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.46.0"
+  version     = "5.49.0"
   constraints = ">= 5.46.0"
   hashes = [
-    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
-    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
-    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
-    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
-    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
-    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
-    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
-    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
-    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
-    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
-    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+    "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=",
+    "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794",
+    "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1",
+    "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0",
+    "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881",
+    "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971",
+    "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b",
+    "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853",
+    "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e",
+    "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa",
+    "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981",
   ]
 }
 
diff --git a/tofu/modules/data-store/database/main.tf b/tofu/modules/data-store/database/main.tf
index e3b1cc37e..a7a695ffe 100644
--- a/tofu/modules/data-store/database/main.tf
+++ b/tofu/modules/data-store/database/main.tf
@@ -32,6 +32,9 @@ module "db" {
 
   enabled_cloudwatch_logs_exports = ["audit", "error", "general", "slowquery"]
 
+  create_db_subnet_group = true
+  subnet_ids = var.database_subnets
+
   # DB parameter group
   family = "mysql8.0"
 
diff --git a/tofu/modules/data-store/database/variables.tf b/tofu/modules/data-store/database/variables.tf
index 0ea357812..51a35565f 100644
--- a/tofu/modules/data-store/database/variables.tf
+++ b/tofu/modules/data-store/database/variables.tf
@@ -28,6 +28,11 @@ variable "subnet_group" {
   type        = string
 }
 
+variable "database_subnets" {
+  description = "DB subnets ids"
+  type = list
+}
+
 variable "elasticache_security_group" {
   description = "Elasticache security group"
   type        = string
diff --git a/tofu/modules/network/vpc/main.tf b/tofu/modules/network/vpc/main.tf
index 587698c6d..50d191480 100644
--- a/tofu/modules/network/vpc/main.tf
+++ b/tofu/modules/network/vpc/main.tf
@@ -16,7 +16,7 @@ module "vpc" {
   public_subnets   = [for k, v in local.azs : cidrsubnet("${var.vpc_cidr}", 8, k + 254)]
   database_subnets = [for k, v in local.azs : cidrsubnet("${var.vpc_cidr}", 8, k + 2)]
 
-  create_database_subnet_group  = true
+  create_database_subnet_group  = false
   manage_default_network_acl    = false
   manage_default_route_table    = false
   manage_default_security_group = false
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend/main.tf
index 10ee53c64..f56dfd2fc 100644
--- a/tofu/modules/services/frontend/main.tf
+++ b/tofu/modules/services/frontend/main.tf
@@ -136,7 +136,7 @@ resource "aws_cloudfront_distribution" "appointment" {
 
     function_association {
       event_type   = "viewer-request"
-      function_arn = aws_cloudfront_function.rewrite_api.arn
+      function_arn = aws_cloudfront_function.rewrite.arn
     }
 
     viewer_protocol_policy = "redirect-to-https"
@@ -153,7 +153,7 @@ resource "aws_cloudfront_distribution" "appointment" {
 
     function_association {
       event_type   = "viewer-request"
-      function_arn = aws_cloudfront_function.rewrite_api.arn
+      function_arn = aws_cloudfront_function.rewrite.arn
     }
 
     viewer_protocol_policy = "redirect-to-https"
@@ -171,7 +171,7 @@ resource "aws_cloudfront_distribution" "appointment" {
 
     function_association {
       event_type   = "viewer-request"
-      function_arn = aws_cloudfront_function.rewrite_api.arn
+      function_arn = aws_cloudfront_function.rewrite.arn
     }
 
     viewer_protocol_policy = "redirect-to-https"
@@ -199,8 +199,8 @@ resource "aws_cloudfront_origin_access_control" "oac" {
   signing_protocol                  = "sigv4"
 }
 
-resource "aws_cloudfront_function" "rewrite_api" {
-  name    = "${var.name_prefix}-rewrite-api"
+resource "aws_cloudfront_function" "rewrite" {
+  name    = "${var.name_prefix}-rewrite"
   runtime = "cloudfront-js-2.0"
   code    = <<EOT
   async function handler(event) {

From 4189f1602885222d1d939c41c85810ec972d7e7c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 10:02:53 -0400
Subject: [PATCH 215/298] minor pipeline fixes

---
 .github/workflows/deploy-production.yml                |  6 +++---
 .github/workflows/deploy-staging.yml                   | 10 +++++-----
 .github/workflows/validate.yml                         |  4 ++--
 .../services/{frontend => frontend-infra}/main.tf      |  0
 .../services/{frontend => frontend-infra}/output.tf    |  0
 .../services/{frontend => frontend-infra}/variables.tf |  0
 6 files changed, 10 insertions(+), 10 deletions(-)
 rename tofu/modules/services/{frontend => frontend-infra}/main.tf (100%)
 rename tofu/modules/services/{frontend => frontend-infra}/output.tf (100%)
 rename tofu/modules/services/{frontend => frontend-infra}/variables.tf (100%)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 5cf65fc42..096673a57 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -109,8 +109,8 @@ jobs:
         terragrunt plan -out tfplan
         terragrunt apply tfplan
         
-    - name: frontend
-      working-directory: ./tofu/environments/stage/services/frontend
+    - name: frontend-infra
+      working-directory: ./tofu/environments/stage/services/frontend-infra
       run: |
         terragrunt init -upgrade
         terragrunt validate
@@ -147,7 +147,7 @@ jobs:
         role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
         aws-region: ${{ vars.AWS_REGION }}
 
-  deploy-backend-service:
+  deploy-backend:
     needs:
       - detect-changes
       - deploy-iac
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 28138a3e1..c6cf39294 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -112,8 +112,8 @@ jobs:
         terragrunt plan -out tfplan
         terragrunt apply tfplan
         
-    - name: frontend
-      working-directory: ./tofu/environments/stage/services/frontend
+    - name: frontend-infra
+      working-directory: ./tofu/environments/stage/services/frontend-infra
       run: |
         terragrunt init -upgrade
         terragrunt validate
@@ -150,7 +150,7 @@ jobs:
         role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
         aws-region: ${{ vars.AWS_REGION }}
 
-  deploy-backend-service:
+  deploy-backend:
     needs: 
       - detect-changes
       - deploy-iac
@@ -209,9 +209,9 @@ jobs:
         # be deployed to ECS.
         docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
         docker push $ECR_TAG
-        echo 'image_backend=$ECR_TAG >> $GITHUB_OUTPUT
+        echo 'image_backend=$ECR_TAG' >> $GITHUB_OUTPUT
 
-    - name: backend-service
+    - name: deploy backend-service
       working-directory: ./tofu/environments/stage/services/backend-service
       run: |
         terragrunt init -upgrade
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index ce5aef1d5..867ebb3f4 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -107,8 +107,8 @@ jobs:
         terragrunt init -upgrade
         terragrunt validate
         
-    - name: frontend
-      working-directory: ./tofu/environments/stage/services/frontend
+    - name: frontend-infra
+      working-directory: ./tofu/environments/stage/services/frontend-infra
       continue-on-error: true
       run: |
         terragrunt init -upgrade
diff --git a/tofu/modules/services/frontend/main.tf b/tofu/modules/services/frontend-infra/main.tf
similarity index 100%
rename from tofu/modules/services/frontend/main.tf
rename to tofu/modules/services/frontend-infra/main.tf
diff --git a/tofu/modules/services/frontend/output.tf b/tofu/modules/services/frontend-infra/output.tf
similarity index 100%
rename from tofu/modules/services/frontend/output.tf
rename to tofu/modules/services/frontend-infra/output.tf
diff --git a/tofu/modules/services/frontend/variables.tf b/tofu/modules/services/frontend-infra/variables.tf
similarity index 100%
rename from tofu/modules/services/frontend/variables.tf
rename to tofu/modules/services/frontend-infra/variables.tf

From 0d4d3b7b7ab8b803bdf2c2039e0d553e15e15fd7 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 10:06:09 -0400
Subject: [PATCH 216/298] folder rename

---
 .../services/{frontend => frontend-infra}/.terraform.lock.hcl     | 0
 .../prod/services/{frontend => frontend-infra}/terragrunt.hcl     | 0
 .../services/{frontend => frontend-infra}/.terraform.lock.hcl     | 0
 .../stage/services/{frontend => frontend-infra}/terragrunt.hcl    | 0
 4 files changed, 0 insertions(+), 0 deletions(-)
 rename tofu/environments/prod/services/{frontend => frontend-infra}/.terraform.lock.hcl (100%)
 rename tofu/environments/prod/services/{frontend => frontend-infra}/terragrunt.hcl (100%)
 rename tofu/environments/stage/services/{frontend => frontend-infra}/.terraform.lock.hcl (100%)
 rename tofu/environments/stage/services/{frontend => frontend-infra}/terragrunt.hcl (100%)

diff --git a/tofu/environments/prod/services/frontend/.terraform.lock.hcl b/tofu/environments/prod/services/frontend-infra/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/prod/services/frontend/.terraform.lock.hcl
rename to tofu/environments/prod/services/frontend-infra/.terraform.lock.hcl
diff --git a/tofu/environments/prod/services/frontend/terragrunt.hcl b/tofu/environments/prod/services/frontend-infra/terragrunt.hcl
similarity index 100%
rename from tofu/environments/prod/services/frontend/terragrunt.hcl
rename to tofu/environments/prod/services/frontend-infra/terragrunt.hcl
diff --git a/tofu/environments/stage/services/frontend/.terraform.lock.hcl b/tofu/environments/stage/services/frontend-infra/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/stage/services/frontend/.terraform.lock.hcl
rename to tofu/environments/stage/services/frontend-infra/.terraform.lock.hcl
diff --git a/tofu/environments/stage/services/frontend/terragrunt.hcl b/tofu/environments/stage/services/frontend-infra/terragrunt.hcl
similarity index 100%
rename from tofu/environments/stage/services/frontend/terragrunt.hcl
rename to tofu/environments/stage/services/frontend-infra/terragrunt.hcl

From 1fc469d15f5a581ec97564e71959151051ee1abb Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 10:11:51 -0400
Subject: [PATCH 217/298] fixed path references

---
 tofu/environments/prod/services/frontend-infra/terragrunt.hcl  | 2 +-
 tofu/environments/stage/services/frontend-infra/terragrunt.hcl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tofu/environments/prod/services/frontend-infra/terragrunt.hcl b/tofu/environments/prod/services/frontend-infra/terragrunt.hcl
index 18074bd2b..ed8608d7b 100644
--- a/tofu/environments/prod/services/frontend-infra/terragrunt.hcl
+++ b/tofu/environments/prod/services/frontend-infra/terragrunt.hcl
@@ -9,7 +9,7 @@ include "environment" {
 }
 
 terraform {
-  source = "../../../../modules/services/frontend"
+  source = "../../../../modules/services/frontend-infra"
 }
 
 dependency "backend" {
diff --git a/tofu/environments/stage/services/frontend-infra/terragrunt.hcl b/tofu/environments/stage/services/frontend-infra/terragrunt.hcl
index 18074bd2b..ed8608d7b 100644
--- a/tofu/environments/stage/services/frontend-infra/terragrunt.hcl
+++ b/tofu/environments/stage/services/frontend-infra/terragrunt.hcl
@@ -9,7 +9,7 @@ include "environment" {
 }
 
 terraform {
-  source = "../../../../modules/services/frontend"
+  source = "../../../../modules/services/frontend-infra"
 }
 
 dependency "backend" {

From 71bd290a12f700dbf125c0d2654fe18a360ec5d7 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 11:07:50 -0400
Subject: [PATCH 218/298] update state backend

---
 .../terraform/tfbackend/.terraform.lock.hcl   | 24 +++++++++----------
 .../stage/terraform/tfbackend/terragrunt.hcl  |  6 +++--
 tofu/environments/terragrunt.hcl              |  6 +++--
 3 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl b/tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl
index 280be643a..fa8ff69df 100644
--- a/tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl
+++ b/tofu/environments/stage/terraform/tfbackend/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.48.0"
+  version     = "5.49.0"
   constraints = ">= 5.46.0"
   hashes = [
-    "h1:UL6B4QXA/ENh05gOYhJGAUWKvgVRhfmnzqQMobSEh9A=",
-    "zh:212b33b4270a4f20025dec83b181b0e8044ef382491e0c89ad07c64d6dfacff0",
-    "zh:2dd2dadd6fc8752edb6241bdac1bdd49ce64384527dc335a021d61d3870a0393",
-    "zh:3d449e369958ab3d0afe2db6be5de22061f8635fe176771c98af41a7f770f1b5",
-    "zh:3dd6ca9a102c6164683800d8b1b5def29a51d575b5223063961125de81cca136",
-    "zh:422586cf2ea78f8464c97b95f153acdc84b660b2eb474a100338e360593e2d84",
-    "zh:70ea10113b724cc69f83e2c1fd65d7d304aaf6bd9f6a45cd1622a5f36506690c",
-    "zh:84a48c4a7eb8498beb9f5d78bef5e58516e11a8df131042fb43d3dec62dc899b",
-    "zh:9724c095fb8d8d7695769a828e6cc0de95da264487c91af39a645713b293323c",
-    "zh:ad9117ef8c7fd8e26aab482a286aa2e641e4887d1816117caa1fd7eaff6a050c",
-    "zh:ff32af11624e5104fd4ddd38cecd1beb09da9a7be7f49b0d496080667882b90e",
+    "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=",
+    "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794",
+    "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1",
+    "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0",
+    "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881",
+    "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971",
+    "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b",
+    "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853",
+    "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e",
+    "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa",
+    "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981",
   ]
 }
 
diff --git a/tofu/environments/stage/terraform/tfbackend/terragrunt.hcl b/tofu/environments/stage/terraform/tfbackend/terragrunt.hcl
index 74efdd318..f3e627c15 100644
--- a/tofu/environments/stage/terraform/tfbackend/terragrunt.hcl
+++ b/tofu/environments/stage/terraform/tfbackend/terragrunt.hcl
@@ -13,8 +13,10 @@ terraform {
 }
 
 locals {
-  bucket_name = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-state"
-  table_name  = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-locks"
+  name_prefix = get_env("TF_VAR_name_prefix")
+
+  bucket_name = "${local.name_prefix}-state"
+  table_name  = "${local.name_prefix}-locks"
 
   project_tags     = include.root.locals.tags
   environment_tags = include.environment.locals.tags
diff --git a/tofu/environments/terragrunt.hcl b/tofu/environments/terragrunt.hcl
index 9fdcedf87..d790f82e2 100644
--- a/tofu/environments/terragrunt.hcl
+++ b/tofu/environments/terragrunt.hcl
@@ -8,6 +8,8 @@ locals {
 
   project    = local.project_vars.project
   short_name = local.project_vars.short_name
+  name_prefix = get_env("TF_VAR_name_prefix")
+  region      = get_env("TF_VAR_region")
 
   tags = {
     project = local.project
@@ -24,11 +26,11 @@ generate "backend" {
   contents  = <<EOF
 terraform {
   backend "s3" {
-    bucket         = "tb-${local.short_name}-${local.env}-state"
+    bucket         = "${local.name_prefix}-state"
     key            = "${path_relative_to_include()}/terraform.tfstate"
     region         = "us-east-1"
     encrypt        = true
-    dynamodb_table = "tb-${local.short_name}-${local.env}-locks"
+    dynamodb_table = "${local.name_prefix}-locks"
   }
 }
 EOF

From 0e7e33adbdfdaeb4497c68d7a2a1f9d82c5633df Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 11:16:29 -0400
Subject: [PATCH 219/298] remote state update

---
 .../data-store/database/.terraform.lock.hcl   | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/tofu/environments/stage/data-store/database/.terraform.lock.hcl b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
index df201a5a9..0bcfd9f63 100644
--- a/tofu/environments/stage/data-store/database/.terraform.lock.hcl
+++ b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.48.0"
+  version     = "5.49.0"
   constraints = ">= 5.46.0, >= 5.47.0"
   hashes = [
-    "h1:UL6B4QXA/ENh05gOYhJGAUWKvgVRhfmnzqQMobSEh9A=",
-    "zh:212b33b4270a4f20025dec83b181b0e8044ef382491e0c89ad07c64d6dfacff0",
-    "zh:2dd2dadd6fc8752edb6241bdac1bdd49ce64384527dc335a021d61d3870a0393",
-    "zh:3d449e369958ab3d0afe2db6be5de22061f8635fe176771c98af41a7f770f1b5",
-    "zh:3dd6ca9a102c6164683800d8b1b5def29a51d575b5223063961125de81cca136",
-    "zh:422586cf2ea78f8464c97b95f153acdc84b660b2eb474a100338e360593e2d84",
-    "zh:70ea10113b724cc69f83e2c1fd65d7d304aaf6bd9f6a45cd1622a5f36506690c",
-    "zh:84a48c4a7eb8498beb9f5d78bef5e58516e11a8df131042fb43d3dec62dc899b",
-    "zh:9724c095fb8d8d7695769a828e6cc0de95da264487c91af39a645713b293323c",
-    "zh:ad9117ef8c7fd8e26aab482a286aa2e641e4887d1816117caa1fd7eaff6a050c",
-    "zh:ff32af11624e5104fd4ddd38cecd1beb09da9a7be7f49b0d496080667882b90e",
+    "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=",
+    "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794",
+    "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1",
+    "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0",
+    "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881",
+    "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971",
+    "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b",
+    "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853",
+    "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e",
+    "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa",
+    "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981",
   ]
 }
 

From 7c1a19c7e728651c0cd255c02bb4b131a6fb7ab8 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 11:53:18 -0400
Subject: [PATCH 220/298] remove testing printenv

---
 .github/workflows/deploy-staging.yml          |  1 -
 .../stage/network/vpc/.terraform.lock.hcl     | 24 +++++++++----------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index c6cf39294..ea61dc00a 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -82,7 +82,6 @@ jobs:
     - name: vpc
       working-directory: ./tofu/environments/stage/network/vpc
       run: |
-        printenv
         terragrunt init -upgrade
         terragrunt validate
         terragrunt plan -out tfplan
diff --git a/tofu/environments/stage/network/vpc/.terraform.lock.hcl b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
index 028c81819..1b7a13847 100644
--- a/tofu/environments/stage/network/vpc/.terraform.lock.hcl
+++ b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.48.0"
+  version     = "5.49.0"
   constraints = ">= 4.0.0, >= 5.30.0, >= 5.46.0"
   hashes = [
-    "h1:UL6B4QXA/ENh05gOYhJGAUWKvgVRhfmnzqQMobSEh9A=",
-    "zh:212b33b4270a4f20025dec83b181b0e8044ef382491e0c89ad07c64d6dfacff0",
-    "zh:2dd2dadd6fc8752edb6241bdac1bdd49ce64384527dc335a021d61d3870a0393",
-    "zh:3d449e369958ab3d0afe2db6be5de22061f8635fe176771c98af41a7f770f1b5",
-    "zh:3dd6ca9a102c6164683800d8b1b5def29a51d575b5223063961125de81cca136",
-    "zh:422586cf2ea78f8464c97b95f153acdc84b660b2eb474a100338e360593e2d84",
-    "zh:70ea10113b724cc69f83e2c1fd65d7d304aaf6bd9f6a45cd1622a5f36506690c",
-    "zh:84a48c4a7eb8498beb9f5d78bef5e58516e11a8df131042fb43d3dec62dc899b",
-    "zh:9724c095fb8d8d7695769a828e6cc0de95da264487c91af39a645713b293323c",
-    "zh:ad9117ef8c7fd8e26aab482a286aa2e641e4887d1816117caa1fd7eaff6a050c",
-    "zh:ff32af11624e5104fd4ddd38cecd1beb09da9a7be7f49b0d496080667882b90e",
+    "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=",
+    "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794",
+    "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1",
+    "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0",
+    "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881",
+    "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971",
+    "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b",
+    "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853",
+    "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e",
+    "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa",
+    "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981",
   ]
 }
 

From a6a33d85606fd7087f128a4eae493d5240846dca Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 14:08:24 -0400
Subject: [PATCH 221/298] adding random suffixes & descriptive resource names

---
 .../backend-infra/.terraform.lock.hcl         | 24 +++++++++----------
 tofu/modules/data-store/database/main.tf      | 12 ++++++++--
 tofu/modules/services/frontend-infra/main.tf  |  2 +-
 tofu/modules/terraform/tfbackend/main.tf      |  2 +-
 4 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
index 1ff60906c..d45066419 100644
--- a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.46.0"
+  version     = "5.49.0"
   constraints = ">= 4.66.1, >= 5.46.0"
   hashes = [
-    "h1:/vOvEEgnd+OY/Bbz6uwwEW1EnlgWQWJsXw5NnwHQOUY=",
-    "zh:151d35ab9d67f39ab568f5713dd74f0856a7d7b59a8c9557d05eaf0fa305426f",
-    "zh:2ff7031712d6fca0fc826ca6f1749244cc9aee5141b75ec9aea084a2907d6c40",
-    "zh:4c7d81be3b3dbb0f46f4a2074c17c72fe4c0a768b92b0882ffff39fdbe6ba310",
-    "zh:5313b02b5a1d9ece5302f075975a5ac9ba143bb32a457952885ecaa6a44fc232",
-    "zh:676a050266346d0b07d188c70377d8fb3c85a7a4c605a3ed4f9c6fcfc0537c7f",
-    "zh:6a02981bff4bd3d00d260e4ce72e5d6e54a7c6ea038cfb664b7cae13cef59b9f",
-    "zh:8c2a218e7e8969080eb400dd3e6b4707c74e4b0ccad07baaf410efec959162e4",
-    "zh:d2ea4316ed8f0b92eb62f1c676f7304081730a5cefbd5b36dae0f7bb91305016",
-    "zh:e310721c4d275a2e0cd222bdbac08676f62153d55c7dd0fbcbbcc2e919e3557f",
-    "zh:f52ed32e0393840c059fcfdac8022b50a58cffb0e3eff1fda21a58fc68562fe0",
+    "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=",
+    "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794",
+    "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1",
+    "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0",
+    "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881",
+    "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971",
+    "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b",
+    "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853",
+    "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e",
+    "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa",
+    "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981",
   ]
 }
 
diff --git a/tofu/modules/data-store/database/main.tf b/tofu/modules/data-store/database/main.tf
index a7a695ffe..a37b84478 100644
--- a/tofu/modules/data-store/database/main.tf
+++ b/tofu/modules/data-store/database/main.tf
@@ -5,6 +5,14 @@ locals {
   }
 }
 
+resource "random_string" "secret_suffix" {
+  length  = 8
+  lower   = true
+  numeric = false
+  special = false
+  upper   = true
+}
+
 module "db" {
   source = "github.com/terraform-aws-modules/terraform-aws-rds"
 
@@ -83,9 +91,9 @@ resource "aws_vpc_security_group_ingress_rule" "allow_mysql_from_backend" {
 }
 
 resource "aws_secretsmanager_secret" "db_secret" {
-  name = "${var.name_prefix}-db"
+  name = "${var.name_prefix}-db-${random_string.secret_suffix.result}"
   tags = merge(var.tags, {
-    Name = "${var.name_prefix}-db"
+    Name = "${var.name_prefix}-db-${random_string.secret_suffix.result}"
   })
 }
 
diff --git a/tofu/modules/services/frontend-infra/main.tf b/tofu/modules/services/frontend-infra/main.tf
index f56dfd2fc..03eb424cc 100644
--- a/tofu/modules/services/frontend-infra/main.tf
+++ b/tofu/modules/services/frontend-infra/main.tf
@@ -193,7 +193,7 @@ resource "aws_cloudfront_distribution" "appointment" {
 }
 
 resource "aws_cloudfront_origin_access_control" "oac" {
-  name                              = var.environment
+  name                              = "${var.name_prefix}-frontend"
   origin_access_control_origin_type = "s3"
   signing_behavior                  = "always"
   signing_protocol                  = "sigv4"
diff --git a/tofu/modules/terraform/tfbackend/main.tf b/tofu/modules/terraform/tfbackend/main.tf
index c9a2c6096..ac454d4c8 100644
--- a/tofu/modules/terraform/tfbackend/main.tf
+++ b/tofu/modules/terraform/tfbackend/main.tf
@@ -3,7 +3,7 @@ resource "aws_s3_bucket" "terraform_state" {
 
   # Prevent accidental deletion of this S3 bucket
   lifecycle {
-    prevent_destroy = true
+    prevent_destroy = false
   }
   tags = var.tags
 }

From d172db901ee95cf7078fbe90527629cdb52aab9e Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 14:18:38 -0400
Subject: [PATCH 222/298] fixing env variable names

---
 .../services/backend-service/terragrunt.hcl   | 26 ++++++++-----------
 .../services/backend-service/terragrunt.hcl   | 25 ++++++++----------
 2 files changed, 22 insertions(+), 29 deletions(-)

diff --git a/tofu/environments/prod/services/backend-service/terragrunt.hcl b/tofu/environments/prod/services/backend-service/terragrunt.hcl
index d2434b8a5..7c24f02f7 100644
--- a/tofu/environments/prod/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/prod/services/backend-service/terragrunt.hcl
@@ -56,11 +56,7 @@ locals {
   environment = get_env("TF_VAR_environment")
   name_prefix = get_env("TF_VAR_name_prefix")
   region      = get_env("TF_VAR_region")
-  //project          = include.root.locals.project
-  //environment      = include.env.locals.environment
   short_name = include.root.locals.short_name
-  //name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
-  //region           = include.env.locals.region
   project_tags     = include.root.locals.tags
   environment_tags = include.env.locals.tags
   tags             = "${merge(local.project_tags, local.environment_tags)}"
@@ -75,19 +71,19 @@ inputs = {
   security_group      = dependency.backend-infra.outputs.security_group_id
   ecs_cluster         = dependency.backend-infra.outputs.cluster_id
   task_execution_role = dependency.vpc.outputs.ecs_execution_role
-  frontend_url        = get_env("frontend_url")   //"https://${local.project}.day"
-  short_base_url      = get_env("short_base_url") //"https://${local.short_name}.day"
-  app_env             = get_env("app_env")        //local.environment
-  sentry_dsn          = get_env("sentry_dsn")     //"https://5dddca3ecc964284bb8008bc2beef808@o4505428107853824.ingest.sentry.io/4505428124827648"
-  zoom_auth_callback  = get_env("zoom_callback")  //"https://${local.project}.day/api/v1/zoom/callback"
+  frontend_url        = get_env("TF_VAR_frontend_url")   
+  short_base_url      = get_env("TF_VAR_short_base_url") 
+  app_env             = get_env("TF_VAR_app_env")        
+  sentry_dsn          = get_env("TF_VAR_sentry_dsn")     
+  zoom_auth_callback  = get_env("TF_VAR_zoom_callback")  
   short_name          = local.short_name
   database_secret     = dependency.database.outputs.db_secret
-  db_enc_secret       = get_env("db_enc_secret")       //"arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-production-db-secret-xcaWVh"
-  smtp_secret         = get_env("smtp_secret")         //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
-  google_oauth_secret = get_env("google_oauth_secret") //"arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-production-google-cal-oauth-8x5LUO"
-  zoom_secret         = get_env("zoom_secret")         //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
-  fxa_secret          = get_env("fxa_secret")          //"arn:aws:secretsmanager:us-east-1:768512802988:secret:prod/appointment/fxa-lRA3qx"
+  db_enc_secret       = get_env("TF_VAR_db_enc_secret")  
+  smtp_secret         = get_env("TF_VAR_smtp_secret")    
+  google_oauth_secret = get_env("TF_VAR_google_oauth_secret")
+  zoom_secret         = get_env("TF_VAR_zoom_secret")        
+  fxa_secret          = get_env("TF_VAR_fxa_secret")         
   redis_endpoint      = dependency.cache.outputs.endpoint
-  log_level           = get_env("log_level")
+  log_level           = get_env("TF_VAR_log_level")
   tags                = local.tags
 }
\ No newline at end of file
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index af5308d57..0c7ca83c9 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -57,10 +57,7 @@ locals {
   name_prefix = get_env("TF_VAR_name_prefix")
   region      = get_env("TF_VAR_region")
   project     = include.root.locals.project
-  //environment      = include.env.locals.environment
   short_name = include.root.locals.short_name
-  //name_prefix      = "tb-${include.root.locals.short_name}-${include.env.locals.environment}"
-  //region           = include.env.locals.region
   project_tags     = include.root.locals.tags
   environment_tags = include.env.locals.tags
   tags             = "${merge(local.project_tags, local.environment_tags)}"
@@ -75,19 +72,19 @@ inputs = {
   security_group      = dependency.backend-infra.outputs.security_group_id
   ecs_cluster         = dependency.backend-infra.outputs.cluster_id
   task_execution_role = dependency.vpc.outputs.ecs_execution_role
-  frontend_url        = get_env("frontend_url")   //"https://${local.project}.day"
-  short_base_url      = get_env("short_base_url") //"https://${local.short_name}.day"
-  app_env             = get_env("app_env")        //local.environment
-  sentry_dsn          = get_env("sentry_dsn")     //"https://5dddca3ecc964284bb8008bc2beef808@o4505428107853824.ingest.sentry.io/4505428124827648"
-  zoom_auth_callback  = get_env("zoom_callback")  //"https://${local.project}.day/api/v1/zoom/callback"
+  frontend_url        = get_env("TF_VAR_frontend_url")   
+  short_base_url      = get_env("TF_VAR_short_base_url") 
+  app_env             = get_env("TF_VAR_app_env")        
+  sentry_dsn          = get_env("TF_VAR_sentry_dsn")     
+  zoom_auth_callback  = get_env("TF_VAR_zoom_callback")  
   short_name          = local.short_name
   database_secret     = dependency.database.outputs.db_secret
-  db_enc_secret       = get_env("db_enc_secret")       //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/db-secret-CYKglI"
-  smtp_secret         = get_env("smtp_secret")         //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/socketlabs-UYmjaC"
-  google_oauth_secret = get_env("google_oauth_secret") //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/google-cal-oauth-VevaSo"
-  zoom_secret         = get_env("zoom_secret")         //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/zoom-S862zi"
-  fxa_secret          = get_env("fxa_secret")          //"arn:aws:secretsmanager:us-east-1:768512802988:secret:staging/appointment/fxa-fxa-7koQF0"
-  log_level           = get_env("log_level")
+  db_enc_secret       = get_env("TF_VAR_db_enc_secret")       
+  smtp_secret         = get_env("TF_VAR_smtp_secret")         
+  google_oauth_secret = get_env("TF_VAR_google_oauth_secret") 
+  zoom_secret         = get_env("TF_VAR_zoom_secret")
+  fxa_secret          = get_env("TF_VAR_fxa_secret") 
+  log_level           = get_env("TF_VAR_log_level")
   redis_endpoint      = dependency.cache.outputs.endpoint
   tags                = local.tags
 }
\ No newline at end of file

From bc548624f401a9f2faf32915c55914686750fc6a Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 14:32:23 -0400
Subject: [PATCH 223/298] fixing env variable names

---
 .github/workflows/deploy-production.yml | 5 +++--
 .github/workflows/deploy-staging.yml    | 7 +++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 096673a57..ff16548f2 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -159,7 +159,7 @@ jobs:
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
       TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
       TF_VAR_app_env: ${{ vars.APP_ENV }}
-      TF_VAR_db_encrypted_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
+      TF_VAR_db_enc_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
       TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
       TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
       TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
@@ -167,7 +167,8 @@ jobs:
       TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }}
       TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
       TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
-      TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
+      TF_VAR_zoom_secret: ${{ vars.ZOOM_SECRET }}
+      TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }}
     steps:
     - uses: actions/checkout@v4
 
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index ea61dc00a..e8cf28a20 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -148,6 +148,8 @@ jobs:
         role-to-assume: ${{ secrets.IAM_ROLE }}
         role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
         aws-region: ${{ vars.AWS_REGION }}
+        
+
 
   deploy-backend:
     needs: 
@@ -161,7 +163,7 @@ jobs:
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
       TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
       TF_VAR_app_env: ${{ vars.APP_ENV }}
-      TF_VAR_db_encrypted_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
+      TF_VAR_db_enc_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
       TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
       TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
       TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
@@ -169,7 +171,8 @@ jobs:
       TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }}
       TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
       TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
-      TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
+      TF_VAR_zoom_secret: ${{ vars.ZOOM_SECRET }}
+      TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }}
     steps:
     - uses: actions/checkout@v4
 

From fcc59ec767c6c50a48be56e876053054b4d4c4b0 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 14:45:56 -0400
Subject: [PATCH 224/298] fixing docker push

---
 .github/workflows/deploy-production.yml | 2 +-
 .github/workflows/deploy-staging.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index ff16548f2..50ffd0d85 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -207,7 +207,7 @@ jobs:
         # be deployed to ECS.
         docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
         docker push $ECR_TAG
-        echo 'image_backend=$ECR_TAG' >> $GITHUB_OUTPUT
+        echo "image_backend=$ECR_TAG" >> $GITHUB_OUTPUT
 
     - name: backend-service
       working-directory: ./tofu/environments/prod/services/backend-service
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index e8cf28a20..549290125 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -211,7 +211,7 @@ jobs:
         # be deployed to ECS.
         docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
         docker push $ECR_TAG
-        echo 'image_backend=$ECR_TAG' >> $GITHUB_OUTPUT
+        echo "image_backend=$ECR_TAG" >> $GITHUB_OUTPUT
 
     - name: deploy backend-service
       working-directory: ./tofu/environments/stage/services/backend-service

From 5c07ccfd5deef012f40bc11df2cb24f0e6172e86 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 14:57:41 -0400
Subject: [PATCH 225/298] install aws cli in frontend pipeline

---
 .github/workflows/deploy-production.yml | 6 ++++++
 .github/workflows/deploy-staging.yml    | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 50ffd0d85..f1ddcd16e 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -140,6 +140,12 @@ jobs:
         cp frontend/.env.prod.example frontend/.env.prod
         cd frontend && yarn build --mode ${{ vars.APP_ENV }}
 
+    - name: Install AWS CLI
+      uses: unfor19/install-aws-cli-action@v1
+      with:
+        version: 2
+        arch: amd64
+
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 549290125..776e0c1b5 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -142,6 +142,12 @@ jobs:
         cp frontend/.env.staging.example frontend/.env.staging
         cd frontend && yarn build --mode ${{ vars.APP_ENV }}
 
+    - name: Install AWS CLI
+      uses: unfor19/install-aws-cli-action@v1
+      with:
+        version: 2
+        arch: amd64
+
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4
       with:

From 0b143c03096f2a9c3f2c651648eca4c5bd7e1c34 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 15:23:49 -0400
Subject: [PATCH 226/298] output bucket name & sync

---
 .github/workflows/deploy-staging.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 776e0c1b5..d560b800f 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -43,6 +43,8 @@ jobs:
     if: needs.detect-changes.outputs.deploy-iac == 'true'
     environment: staging
     runs-on: ubuntu-latest
+    outputs:
+      bucket: ${{ steps.output-bucket-name.outputs.bucket }}
     env:
       TF_VAR_region: ${{ vars.AWS_REGION }}
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
@@ -119,6 +121,12 @@ jobs:
         terragrunt plan -out tfplan
         terragrunt apply tfplan
 
+    - name: output-bucke-name
+      id: output-bucket-name
+      run: |
+        output=$(terragrunt output bucket)
+        echo "bucket=$output" >> $GITHUB_OUTPUT
+
   deploy-frontend:
     needs:
       - detect-changes
@@ -154,6 +162,9 @@ jobs:
         role-to-assume: ${{ secrets.IAM_ROLE }}
         role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
         aws-region: ${{ vars.AWS_REGION }}
+    
+    - name: Deploy frontend to S3
+      run: aws s3 synv frontend ${{ needs.deploy-iac.outputs.bucket }}
         
 
 

From 1e0badb270b8311781005a9cca0f243974ef535b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 15:29:21 -0400
Subject: [PATCH 227/298] TF working dir error

---
 .github/workflows/deploy-staging.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index d560b800f..f1140ab5b 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -121,8 +121,9 @@ jobs:
         terragrunt plan -out tfplan
         terragrunt apply tfplan
 
-    - name: output-bucke-name
+    - name: output-bucket-name
       id: output-bucket-name
+      working-directory: ./tofu/environments/stage/services/frontend-infra
       run: |
         output=$(terragrunt output bucket)
         echo "bucket=$output" >> $GITHUB_OUTPUT

From c12b7b26a8dd034bf96447c42239aac0c36f1ba6 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 15:34:08 -0400
Subject: [PATCH 228/298] aws command typo

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index f1140ab5b..f9f5bb1d0 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -165,7 +165,7 @@ jobs:
         aws-region: ${{ vars.AWS_REGION }}
     
     - name: Deploy frontend to S3
-      run: aws s3 synv frontend ${{ needs.deploy-iac.outputs.bucket }}
+      run: aws s3 sync frontend ${{ needs.deploy-iac.outputs.bucket }}
         
 
 

From f06307e165f8f7b992cef7f814f2a8b9fb290a1e Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 16:32:18 -0400
Subject: [PATCH 229/298] remove quotes from s3 URI

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index f9f5bb1d0..49726ea91 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -126,7 +126,7 @@ jobs:
       working-directory: ./tofu/environments/stage/services/frontend-infra
       run: |
         output=$(terragrunt output bucket)
-        echo "bucket=$output" >> $GITHUB_OUTPUT
+        echo bucket=$output >> $GITHUB_OUTPUT
 
   deploy-frontend:
     needs:

From 72c7917562d6d6532ed69aaf17061aa00f560b6e Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 16:41:56 -0400
Subject: [PATCH 230/298] temporary hardcode s3 bucket

---
 .github/workflows/deploy-staging.yml | 2 +-
 .github/workflows/validate.yml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 49726ea91..7b74be9c9 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -165,7 +165,7 @@ jobs:
         aws-region: ${{ vars.AWS_REGION }}
     
     - name: Deploy frontend to S3
-      run: aws s3 sync frontend ${{ needs.deploy-iac.outputs.bucket }}
+      run: aws s3 sync frontend tb-apmt-stg-frontend.s3.amazonaws.com
         
 
 
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 867ebb3f4..6593c8546 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -7,7 +7,7 @@ concurrency:
 on:
   push:
     branches:
-    - add-tf-iac
+    - main
 
 permissions:
   id-token: write   # This is required for requesting the JWT

From 3ef801402784b51f52af0bb72b97435b0da94097 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 16:49:21 -0400
Subject: [PATCH 231/298] temporary hardcode s3 bucket

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 7b74be9c9..8e0a383e5 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -165,7 +165,7 @@ jobs:
         aws-region: ${{ vars.AWS_REGION }}
     
     - name: Deploy frontend to S3
-      run: aws s3 sync frontend tb-apmt-stg-frontend.s3.amazonaws.com
+      run: aws s3 sync frontend s3://tb-apmt-stg-frontend.s3.amazonaws.com
         
 
 

From d46d8550b87bd9480dac72ba4b07ce5f75a1281d Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 16:50:58 -0400
Subject: [PATCH 232/298] temporary hardcode s3 bucket

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 8e0a383e5..f9480c85d 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -165,7 +165,7 @@ jobs:
         aws-region: ${{ vars.AWS_REGION }}
     
     - name: Deploy frontend to S3
-      run: aws s3 sync frontend s3://tb-apmt-stg-frontend.s3.amazonaws.com
+      run: aws s3 sync frontend s3://tb-apmt-stg-frontend
         
 
 

From 9dfeccfeca67a74038b02657ee22743ef3f1af07 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 12 May 2024 16:58:23 -0400
Subject: [PATCH 233/298] temporary hardcode s3 bucket

---
 .github/workflows/deploy-production.yml | 3 +++
 .github/workflows/deploy-staging.yml    | 9 +--------
 2 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index f1ddcd16e..38826f90d 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -152,6 +152,9 @@ jobs:
         role-to-assume: ${{ secrets.IAM_ROLE }}
         role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
         aws-region: ${{ vars.AWS_REGION }}
+    
+    - name: Deploy frontend to S3
+      run: aws s3 sync frontend/dist s3://tb-apmt-prod-frontend
 
   deploy-backend:
     needs:
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index f9480c85d..e581817c4 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -121,13 +121,6 @@ jobs:
         terragrunt plan -out tfplan
         terragrunt apply tfplan
 
-    - name: output-bucket-name
-      id: output-bucket-name
-      working-directory: ./tofu/environments/stage/services/frontend-infra
-      run: |
-        output=$(terragrunt output bucket)
-        echo bucket=$output >> $GITHUB_OUTPUT
-
   deploy-frontend:
     needs:
       - detect-changes
@@ -165,7 +158,7 @@ jobs:
         aws-region: ${{ vars.AWS_REGION }}
     
     - name: Deploy frontend to S3
-      run: aws s3 sync frontend s3://tb-apmt-stg-frontend
+      run: aws s3 sync frontend/dist s3://tb-apmt-stg-frontend
         
 
 

From faae24f4cc9e4d85fa8aae13c7ad866d890f0d0c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 13 May 2024 08:56:19 -0400
Subject: [PATCH 234/298] dynamic frontend bucket

---
 .github/workflows/deploy-production.yml | 11 ++++++++++-
 .github/workflows/deploy-staging.yml    |  9 ++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 38826f90d..270d9c254 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -41,6 +41,8 @@ jobs:
     if: needs.detect-changes.outputs.deploy-iac == 'true'
     environment: production
     runs-on: ubuntu-latest
+    outputs:
+      bucket: ${{ steps.output-bucket-name.outputs.bucket }}
     env:
       TF_VAR_region: ${{ vars.AWS_REGION }}
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
@@ -117,6 +119,13 @@ jobs:
         terragrunt plan -out tfplan
         terragrunt apply tfplan
 
+    - name: output-bucket-name
+      id: output-bucket-name
+      working-directory: ./tofu/environments/stage/services/frontend-infra
+      run: |
+        output=$(terragrunt output bucket | tr -d '"')
+        echo bucket=$output >> $GITHUB_OUTPUT
+
   deploy-frontend:
     needs:
       - detect-changes
@@ -154,7 +163,7 @@ jobs:
         aws-region: ${{ vars.AWS_REGION }}
     
     - name: Deploy frontend to S3
-      run: aws s3 sync frontend/dist s3://tb-apmt-prod-frontend
+      run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}" //s3://tb-apmt-prod-frontend
 
   deploy-backend:
     needs:
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index e581817c4..83044ff43 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -121,6 +121,13 @@ jobs:
         terragrunt plan -out tfplan
         terragrunt apply tfplan
 
+    - name: output-bucket-name
+      id: output-bucket-name
+      working-directory: ./tofu/environments/stage/services/frontend-infra
+      run: |
+        output=$(terragrunt output bucket | tr -d '"')
+        echo bucket=$output >> $GITHUB_OUTPUT
+
   deploy-frontend:
     needs:
       - detect-changes
@@ -158,7 +165,7 @@ jobs:
         aws-region: ${{ vars.AWS_REGION }}
     
     - name: Deploy frontend to S3
-      run: aws s3 sync frontend/dist s3://tb-apmt-stg-frontend
+      run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}" //s3://tb-apmt-stg-frontend
         
 
 

From f8996c91da566cae2059766223a809cb098104ce Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 13 May 2024 09:01:52 -0400
Subject: [PATCH 235/298] dynamic frontend bucket

---
 .github/workflows/deploy-production.yml | 2 +-
 .github/workflows/deploy-staging.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 270d9c254..23f0055a9 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -163,7 +163,7 @@ jobs:
         aws-region: ${{ vars.AWS_REGION }}
     
     - name: Deploy frontend to S3
-      run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}" //s3://tb-apmt-prod-frontend
+      run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
 
   deploy-backend:
     needs:
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 83044ff43..748b537ef 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -165,7 +165,7 @@ jobs:
         aws-region: ${{ vars.AWS_REGION }}
     
     - name: Deploy frontend to S3
-      run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}" //s3://tb-apmt-stg-frontend
+      run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
         
 
 

From 13f80894c362bc90b110d9ad97aec64c18aa1640 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 13 May 2024 09:12:52 -0400
Subject: [PATCH 236/298] dynamic frontend bucket

---
 .github/workflows/deploy-production.yml        | 2 +-
 .github/workflows/deploy-staging.yml           | 9 ++++++---
 tofu/modules/services/frontend-infra/output.tf | 4 ++++
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 23f0055a9..ee680890d 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -123,7 +123,7 @@ jobs:
       id: output-bucket-name
       working-directory: ./tofu/environments/stage/services/frontend-infra
       run: |
-        output=$(terragrunt output bucket | tr -d '"')
+        output=$(terragrunt output bucket_name | tr -d '"')
         echo bucket=$output >> $GITHUB_OUTPUT
 
   deploy-frontend:
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 748b537ef..97c49fef0 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -29,14 +29,17 @@ jobs:
       with:
         filters: |
           deploy-iac:
-            - 'tofu/**'
-            - '.github/workflows/**'
+            - 'tofu/modules/**'
+            - 'tofu/environments/stage/**'
+            - '.github/workflows/deploy-staging.yml'
           deploy-backend:
             - 'backend/**'
             - 'tofu/modules/services/backend-service/**'
             - 'tofu/environments/stage/services/backend-service/**'
           deploy-frontend:
             - 'frontend/**'
+            - 'tofu/modules/services/frontend-infra/**'
+            - 'tofu/environments/stage/services/frontend-infra/**'
 
   deploy-iac:
     needs: detect-changes
@@ -125,7 +128,7 @@ jobs:
       id: output-bucket-name
       working-directory: ./tofu/environments/stage/services/frontend-infra
       run: |
-        output=$(terragrunt output bucket | tr -d '"')
+        output=$(terragrunt output bucket_name | tr -d '"')
         echo bucket=$output >> $GITHUB_OUTPUT
 
   deploy-frontend:
diff --git a/tofu/modules/services/frontend-infra/output.tf b/tofu/modules/services/frontend-infra/output.tf
index 8c99a85ae..cc455bb84 100644
--- a/tofu/modules/services/frontend-infra/output.tf
+++ b/tofu/modules/services/frontend-infra/output.tf
@@ -2,6 +2,10 @@ output "bucket" {
   value = aws_s3_bucket.frontend.bucket_domain_name
 }
 
+output "bucket_name" {
+  value = aws_s3_bucket.frontend.id
+}
+
 output "cloudfront_arn" {
   value = aws_cloudfront_distribution.appointment.arn
 }

From 0accc789eac3a58d1163633329650a1308b9587c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 13 May 2024 09:20:01 -0400
Subject: [PATCH 237/298] adjusting workflow job triggers

---
 .github/workflows/deploy-production.yml | 9 +++++++--
 .github/workflows/deploy-staging.yml    | 2 ++
 .github/workflows/validate.yml          | 6 +++---
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index ee680890d..b8d8c4e9a 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -27,14 +27,19 @@ jobs:
       with:
         filters: |
           deploy-iac:
-            - 'tofu/**'
-            - '.github/workflows/**'
+            - 'tofu/modules/**'
+            - 'tofu/environments/stage/**'
+            - '.github/workflows/deploy-production.yml'
           deploy-backend:
             - 'backend/**'
             - 'tofu/modules/services/backend-service/**'
             - 'tofu/environments/stage/services/backend-service/**'
+            - '.github/workflows/deploy-production.yml'
           deploy-frontend:
             - 'frontend/**'
+            - 'tofu/modules/services/frontend-infra/**'
+            - 'tofu/environments/stage/services/frontend-infra/**'
+            - '.github/workflows/deploy-production.yml'
 
   deploy-iac:
     needs: detect-changes
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 97c49fef0..dfb4bc087 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -36,10 +36,12 @@ jobs:
             - 'backend/**'
             - 'tofu/modules/services/backend-service/**'
             - 'tofu/environments/stage/services/backend-service/**'
+            - '.github/workflows/deploy-staging.yml'
           deploy-frontend:
             - 'frontend/**'
             - 'tofu/modules/services/frontend-infra/**'
             - 'tofu/environments/stage/services/frontend-infra/**'
+            - '.github/workflows/deploy-staging.yml'
 
   deploy-iac:
     needs: detect-changes
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 6593c8546..eefa3a3b8 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -30,13 +30,13 @@ jobs:
         filters: |
           validate-iac:
             - 'tofu/**'
-            - '.github/workflows/**'
+            - '.github/workflows/validate.yml'
           validate-backend:
             - 'backend/**'
-            - 'tofu/modules/services/backend-service/**'
-            - 'tofu/environments/stage/services/backend-service/**'
+            - '.github/workflows/validate.yml'
           validate-frontend:
             - 'frontend/**'
+            - '.github/workflows/validate.yml'
 
   validate-iac:
     needs: detect-changes

From 70da04b89aa59dabe463b8960405646e4190d5eb Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 13 May 2024 10:14:11 -0400
Subject: [PATCH 238/298] link deploy-staging to main branch

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index dfb4bc087..9b0730ba5 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -7,7 +7,7 @@ concurrency:
 on:
   push:
     branches:
-    - add-tf-iac
+    - main
 
 permissions:
   id-token: write   # This is required for requesting the JWT

From 186e581981ff6c9e8224fa0a4d0fc4f94d384818 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 13 May 2024 10:32:31 -0400
Subject: [PATCH 239/298] formatting fixes and validate workflow trigger

---
 .github/workflows/deploy-production.yml | 326 +++++++++++------------
 .github/workflows/deploy-staging.yml    | 328 ++++++++++++------------
 .github/workflows/validate.yml          | 193 +++++++-------
 3 files changed, 424 insertions(+), 423 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index b8d8c4e9a..5d0178a9a 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -20,26 +20,26 @@ jobs:
       deploy-backend: ${{ steps.check.outputs.deploy-backend }}
       deploy-frontend: ${{ steps.check.outputs.deploy-frontend }}
     steps:
-    - uses: actions/checkout@v4
-
-    - uses: dorny/paths-filter@v3
-      id: check
-      with:
-        filters: |
-          deploy-iac:
-            - 'tofu/modules/**'
-            - 'tofu/environments/stage/**'
-            - '.github/workflows/deploy-production.yml'
-          deploy-backend:
-            - 'backend/**'
-            - 'tofu/modules/services/backend-service/**'
-            - 'tofu/environments/stage/services/backend-service/**'
-            - '.github/workflows/deploy-production.yml'
-          deploy-frontend:
-            - 'frontend/**'
-            - 'tofu/modules/services/frontend-infra/**'
-            - 'tofu/environments/stage/services/frontend-infra/**'
-            - '.github/workflows/deploy-production.yml'
+      - uses: actions/checkout@v4
+
+      - uses: dorny/paths-filter@v3
+        id: check
+        with:
+          filters: |
+            deploy-iac:
+              - 'tofu/modules/**'
+              - 'tofu/environments/stage/**'
+              - '.github/workflows/deploy-production.yml'
+            deploy-backend:
+              - 'backend/**'
+              - 'tofu/modules/services/backend-service/**'
+              - 'tofu/environments/stage/services/backend-service/**'
+              - '.github/workflows/deploy-production.yml'
+            deploy-frontend:
+              - 'frontend/**'
+              - 'tofu/modules/services/frontend-infra/**'
+              - 'tofu/environments/stage/services/frontend-infra/**'
+              - '.github/workflows/deploy-production.yml'
 
   deploy-iac:
     needs: detect-changes
@@ -63,73 +63,73 @@ jobs:
       TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
       TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{ secrets.IAM_ROLE }}
-        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{ vars.AWS_REGION }}
-
-    - name: install opentofu
-      uses: opentofu/setup-opentofu@v1
-      with: 
-        tofu_version: ${{ vars.TF_VERSION }}
-        tofu_wrapper: false
-
-    - name: install terragrunt
-      run: |
-        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
-        sudo chmod +x /bin/terragrunt
-        terragrunt -v
-
-    - name: vpc
-      working-directory: ./tofu/environments/stage/network/vpc
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -out tfplan
-        terragrunt apply tfplan
-
-    - name: backend-infra
-      working-directory: ./tofu/environments/stage/services/backend-infra
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -out tfplan
-        terragrunt apply tfplan
-
-    - name: cache
-      working-directory: ./tofu/environments/stage/data-store/cache
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -out tfplan
-        terragrunt apply tfplan
-
-    - name: database
-      working-directory: ./tofu/environments/stage/data-store/database
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -out tfplan
-        terragrunt apply tfplan
-        
-    - name: frontend-infra
-      working-directory: ./tofu/environments/stage/services/frontend-infra
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -out tfplan
-        terragrunt apply tfplan
-
-    - name: output-bucket-name
-      id: output-bucket-name
-      working-directory: ./tofu/environments/stage/services/frontend-infra
-      run: |
-        output=$(terragrunt output bucket_name | tr -d '"')
-        echo bucket=$output >> $GITHUB_OUTPUT
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE }}
+          role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{ vars.TF_VERSION }}
+          tofu_wrapper: false
+
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
+
+      - name: vpc
+        working-directory: ./tofu/environments/stage/network/vpc
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
+          terragrunt apply tfplan
+
+      - name: backend-infra
+        working-directory: ./tofu/environments/stage/services/backend-infra
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
+          terragrunt apply tfplan
+
+      - name: cache
+        working-directory: ./tofu/environments/stage/data-store/cache
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
+          terragrunt apply tfplan
+
+      - name: database
+        working-directory: ./tofu/environments/stage/data-store/database
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
+          terragrunt apply tfplan
+          
+      - name: frontend-infra
+        working-directory: ./tofu/environments/stage/services/frontend-infra
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
+          terragrunt apply tfplan
+
+      - name: output-bucket-name
+        id: output-bucket-name
+        working-directory: ./tofu/environments/stage/services/frontend-infra
+        run: |
+          output=$(terragrunt output bucket_name | tr -d '"')
+          echo bucket=$output >> $GITHUB_OUTPUT
 
   deploy-frontend:
     needs:
@@ -139,36 +139,36 @@ jobs:
     environment: production
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Setup NPM
-      uses: actions/setup-node@v4
-      with:
-        node-version: '18.x'
-
-    - name: Install dependencies
-      run: cd frontend && yarn install
-
-    - name: Build project
-      run: |
-        cp frontend/.env.prod.example frontend/.env.prod
-        cd frontend && yarn build --mode ${{ vars.APP_ENV }}
-
-    - name: Install AWS CLI
-      uses: unfor19/install-aws-cli-action@v1
-      with:
-        version: 2
-        arch: amd64
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{ secrets.IAM_ROLE }}
-        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{ vars.AWS_REGION }}
-    
-    - name: Deploy frontend to S3
-      run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
+      - uses: actions/checkout@v4
+
+      - name: Setup NPM
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18.x'
+
+      - name: Install dependencies
+        run: cd frontend && yarn install
+
+      - name: Build project
+        run: |
+          cp frontend/.env.prod.example frontend/.env.prod
+          cd frontend && yarn build --mode ${{ vars.APP_ENV }}
+
+      - name: Install AWS CLI
+        uses: unfor19/install-aws-cli-action@v1
+        with:
+          version: 2
+          arch: amd64
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE }}
+          role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ vars.AWS_REGION }}
+      
+      - name: Deploy frontend to S3
+        run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
 
   deploy-backend:
     needs:
@@ -193,49 +193,49 @@ jobs:
       TF_VAR_zoom_secret: ${{ vars.ZOOM_SECRET }}
       TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }}
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{ secrets.IAM_ROLE }}
-        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{ vars.AWS_REGION }}
-
-    - name: install opentofu
-      uses: opentofu/setup-opentofu@v1
-      with: 
-        tofu_version: ${{ vars.TF_VERSION }}
-        tofu_wrapper: false
-
-    - name: install terragrunt
-      run: |
-        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
-        sudo chmod +x /bin/terragrunt
-        terragrunt -v
-
-    - name: Login to Amazon ECR
-      id: login-ecr
-      uses: aws-actions/amazon-ecr-login@v2
-      with:
-        mask-password: 'true'
-
-    - name: Build, tag, and push backend image to Amazon ECR
-      id: build-backend
-      env:
-        ECR_TAG: '${{ steps.login-ecr.outputs.registry }}/${{ vars.PROJECT }}:backend-${{ github.sha }}'
-      run: |
-        # Build a docker container and
-        # push it to ECR so that it can
-        # be deployed to ECS.
-        docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
-        docker push $ECR_TAG
-        echo "image_backend=$ECR_TAG" >> $GITHUB_OUTPUT
-
-    - name: backend-service
-      working-directory: ./tofu/environments/prod/services/backend-service
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
-        terragrunt apply tfplan
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE }}
+          role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{ vars.TF_VERSION }}
+          tofu_wrapper: false
+
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          mask-password: 'true'
+
+      - name: Build, tag, and push backend image to Amazon ECR
+        id: build-backend
+        env:
+          ECR_TAG: '${{ steps.login-ecr.outputs.registry }}/${{ vars.PROJECT }}:backend-${{ github.sha }}'
+        run: |
+          # Build a docker container and
+          # push it to ECR so that it can
+          # be deployed to ECS.
+          docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
+          docker push $ECR_TAG
+          echo "image_backend=$ECR_TAG" >> $GITHUB_OUTPUT
+
+      - name: backend-service
+        working-directory: ./tofu/environments/prod/services/backend-service
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
+          terragrunt apply tfplan
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 9b0730ba5..bffb5cf20 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -7,7 +7,7 @@ concurrency:
 on:
   push:
     branches:
-    - main
+      - main
 
 permissions:
   id-token: write   # This is required for requesting the JWT
@@ -22,26 +22,26 @@ jobs:
       deploy-backend: ${{ steps.check.outputs.deploy-backend }}
       deploy-frontend: ${{ steps.check.outputs.deploy-frontend }}
     steps:
-    - uses: actions/checkout@v4
-
-    - uses: dorny/paths-filter@v3
-      id: check
-      with:
-        filters: |
-          deploy-iac:
-            - 'tofu/modules/**'
-            - 'tofu/environments/stage/**'
-            - '.github/workflows/deploy-staging.yml'
-          deploy-backend:
-            - 'backend/**'
-            - 'tofu/modules/services/backend-service/**'
-            - 'tofu/environments/stage/services/backend-service/**'
-            - '.github/workflows/deploy-staging.yml'
-          deploy-frontend:
-            - 'frontend/**'
-            - 'tofu/modules/services/frontend-infra/**'
-            - 'tofu/environments/stage/services/frontend-infra/**'
-            - '.github/workflows/deploy-staging.yml'
+      - uses: actions/checkout@v4
+
+      - uses: dorny/paths-filter@v3
+        id: check
+        with:
+          filters: |
+            deploy-iac:
+              - 'tofu/modules/**'
+              - 'tofu/environments/stage/**'
+              - '.github/workflows/deploy-staging.yml'
+            deploy-backend:
+              - 'backend/**'
+              - 'tofu/modules/services/backend-service/**'
+              - 'tofu/environments/stage/services/backend-service/**'
+              - '.github/workflows/deploy-staging.yml'
+            deploy-frontend:
+              - 'frontend/**'
+              - 'tofu/modules/services/frontend-infra/**'
+              - 'tofu/environments/stage/services/frontend-infra/**'
+              - '.github/workflows/deploy-staging.yml'
 
   deploy-iac:
     needs: detect-changes
@@ -65,73 +65,73 @@ jobs:
       TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
       TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{ secrets.IAM_ROLE }}
-        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{ vars.AWS_REGION }}
-
-    - name: install opentofu
-      uses: opentofu/setup-opentofu@v1
-      with: 
-        tofu_version: ${{ vars.TF_VERSION }}
-        tofu_wrapper: false
-
-    - name: install terragrunt
-      run: |
-        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
-        sudo chmod +x /bin/terragrunt
-        terragrunt -v
-
-    - name: vpc
-      working-directory: ./tofu/environments/stage/network/vpc
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -out tfplan
-        terragrunt apply tfplan
-
-    - name: backend-infra
-      working-directory: ./tofu/environments/stage/services/backend-infra
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -out tfplan
-        terragrunt apply tfplan
-
-    - name: cache
-      working-directory: ./tofu/environments/stage/data-store/cache
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -out tfplan
-        terragrunt apply tfplan
-
-    - name: database
-      working-directory: ./tofu/environments/stage/data-store/database
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -out tfplan
-        terragrunt apply tfplan
-        
-    - name: frontend-infra
-      working-directory: ./tofu/environments/stage/services/frontend-infra
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -out tfplan
-        terragrunt apply tfplan
-
-    - name: output-bucket-name
-      id: output-bucket-name
-      working-directory: ./tofu/environments/stage/services/frontend-infra
-      run: |
-        output=$(terragrunt output bucket_name | tr -d '"')
-        echo bucket=$output >> $GITHUB_OUTPUT
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE }}
+          role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{ vars.TF_VERSION }}
+          tofu_wrapper: false
+
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
+
+      - name: vpc
+        working-directory: ./tofu/environments/stage/network/vpc
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
+          terragrunt apply tfplan
+
+      - name: backend-infra
+        working-directory: ./tofu/environments/stage/services/backend-infra
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
+          terragrunt apply tfplan
+
+      - name: cache
+        working-directory: ./tofu/environments/stage/data-store/cache
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
+          terragrunt apply tfplan
+
+      - name: database
+        working-directory: ./tofu/environments/stage/data-store/database
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
+          terragrunt apply tfplan
+          
+      - name: frontend-infra
+        working-directory: ./tofu/environments/stage/services/frontend-infra
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
+          terragrunt apply tfplan
+
+      - name: output-bucket-name
+        id: output-bucket-name
+        working-directory: ./tofu/environments/stage/services/frontend-infra
+        run: |
+          output=$(terragrunt output bucket_name | tr -d '"')
+          echo bucket=$output >> $GITHUB_OUTPUT
 
   deploy-frontend:
     needs:
@@ -141,36 +141,36 @@ jobs:
     environment: staging
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Setup NPM
-      uses: actions/setup-node@v4
-      with:
-        node-version: '18.x'
-
-    - name: Install dependencies
-      run: cd frontend && yarn install
-
-    - name: Build project
-      run: |
-        cp frontend/.env.staging.example frontend/.env.staging
-        cd frontend && yarn build --mode ${{ vars.APP_ENV }}
-
-    - name: Install AWS CLI
-      uses: unfor19/install-aws-cli-action@v1
-      with:
-        version: 2
-        arch: amd64
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{ secrets.IAM_ROLE }}
-        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{ vars.AWS_REGION }}
-    
-    - name: Deploy frontend to S3
-      run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
+      - uses: actions/checkout@v4
+
+      - name: Setup NPM
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18.x'
+
+      - name: Install dependencies
+        run: cd frontend && yarn install
+
+      - name: Build project
+        run: |
+          cp frontend/.env.staging.example frontend/.env.staging
+          cd frontend && yarn build --mode ${{ vars.APP_ENV }}
+
+      - name: Install AWS CLI
+        uses: unfor19/install-aws-cli-action@v1
+        with:
+          version: 2
+          arch: amd64
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE }}
+          role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ vars.AWS_REGION }}
+      
+      - name: Deploy frontend to S3
+        run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
         
 
 
@@ -197,49 +197,49 @@ jobs:
       TF_VAR_zoom_secret: ${{ vars.ZOOM_SECRET }}
       TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }}
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{ secrets.IAM_ROLE }}
-        role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{ vars.AWS_REGION }}
-
-    - name: install opentofu
-      uses: opentofu/setup-opentofu@v1
-      with: 
-        tofu_version: ${{ vars.TF_VERSION }}
-        tofu_wrapper: false
-
-    - name: install terragrunt
-      run: |
-        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
-        sudo chmod +x /bin/terragrunt
-        terragrunt -v
-
-    - name: Login to Amazon ECR
-      id: login-ecr
-      uses: aws-actions/amazon-ecr-login@v2
-      with:
-        mask-password: 'true'
-
-    - name: Build, tag, and push backend image to Amazon ECR
-      id: build-backend
-      env:
-        ECR_TAG: '${{ steps.login-ecr.outputs.registry }}/${{ vars.PROJECT }}:backend-${{ github.sha }}'
-      run: |
-        # Build a docker container and
-        # push it to ECR so that it can
-        # be deployed to ECS.
-        docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
-        docker push $ECR_TAG
-        echo "image_backend=$ECR_TAG" >> $GITHUB_OUTPUT
-
-    - name: deploy backend-service
-      working-directory: ./tofu/environments/stage/services/backend-service
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
-        terragrunt apply tfplan
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE }}
+          role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{ vars.TF_VERSION }}
+          tofu_wrapper: false
+
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          mask-password: 'true'
+
+      - name: Build, tag, and push backend image to Amazon ECR
+        id: build-backend
+        env:
+          ECR_TAG: '${{ steps.login-ecr.outputs.registry }}/${{ vars.PROJECT }}:backend-${{ github.sha }}'
+        run: |
+          # Build a docker container and
+          # push it to ECR so that it can
+          # be deployed to ECS.
+          docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
+          docker push $ECR_TAG
+          echo "image_backend=$ECR_TAG" >> $GITHUB_OUTPUT
+
+      - name: deploy backend-service
+        working-directory: ./tofu/environments/stage/services/backend-service
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
+          terragrunt apply tfplan
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index eefa3a3b8..1bef2be24 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -7,7 +7,8 @@ concurrency:
 on:
   push:
     branches:
-    - main
+      - '**'
+      - '!main'
 
 permissions:
   id-token: write   # This is required for requesting the JWT
@@ -58,68 +59,68 @@ jobs:
       TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
       TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{ secrets.IAM_ROLE }}
-        role-session-name: GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{ vars.AWS_REGION }}
-
-    - name: install opentofu
-      uses: opentofu/setup-opentofu@v1
-      with: 
-        tofu_version: ${{ vars.TF_VERSION }}
-        tofu_wrapper: false
-
-    - name: install terragrunt
-      run: |
-        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
-        sudo chmod +x /bin/terragrunt
-        terragrunt -v
-
-    - name: vpc
-      working-directory: ./tofu/environments/stage/network/vpc
-      continue-on-error: true
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-
-    - name: backend-infra
-      working-directory: ./tofu/environments/stage/services/backend-infra
-      continue-on-error: true
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-
-    - name: cache
-      working-directory: ./tofu/environments/stage/data-store/cache
-      continue-on-error: true
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-
-    - name: database
-      working-directory: ./tofu/environments/stage/data-store/database
-      continue-on-error: true
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-        
-    - name: frontend-infra
-      working-directory: ./tofu/environments/stage/services/frontend-infra
-      continue-on-error: true
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
-
-    - name: backend-service
-      working-directory: ./tofu/environments/stage/services/backend-service
-      continue-on-error: true
-      run: |
-        terragrunt init -upgrade
-        terragrunt validate
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE }}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{ vars.TF_VERSION }}
+          tofu_wrapper: false
+
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
+
+      - name: vpc
+        working-directory: ./tofu/environments/stage/network/vpc
+        continue-on-error: true
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+
+      - name: backend-infra
+        working-directory: ./tofu/environments/stage/services/backend-infra
+        continue-on-error: true
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+
+      - name: cache
+        working-directory: ./tofu/environments/stage/data-store/cache
+        continue-on-error: true
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+
+      - name: database
+        working-directory: ./tofu/environments/stage/data-store/database
+        continue-on-error: true
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          
+      - name: frontend-infra
+        working-directory: ./tofu/environments/stage/services/frontend-infra
+        continue-on-error: true
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+
+      - name: backend-service
+        working-directory: ./tofu/environments/stage/services/backend-service
+        continue-on-error: true
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
 
   validate-backend:
     needs: detect-changes
@@ -128,23 +129,23 @@ jobs:
     if: needs.detect-changes.outputs.validate-backend == 'true'
 
     steps:
-    - uses: actions/checkout@v4
-
-    - name: Set up Python
-      uses: actions/setup-python@v5
-      with:
-        python-version: '3.11'
-        cache: 'pip'
-
-    - name: Install dependencies
-      run: |
-        cd ./backend
-        python -m pip install --upgrade pip
-        python -m pip install .'[test]'
-
-    - name: Test with pytest
-      run: |
-        cd ./backend && python -m pytest
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: |
+          cd ./backend
+          python -m pip install --upgrade pip
+          python -m pip install .'[test]'
+
+      - name: Test with pytest
+        run: |
+          cd ./backend && python -m pytest
   
   validate-frontend:
     needs: detect-changes
@@ -152,19 +153,19 @@ jobs:
     environment: staging
     if: needs.detect-changes.outputs.validate-frontend == 'true'
     steps:
-    - uses: actions/checkout@v4
-
-    - uses: actions/setup-node@v4
-      with:
-        node-version: 18
-        cache: 'yarn'
-        cache-dependency-path: 'frontend/yarn.lock'
-
-    - name: Install dependencies
-      run: |
-        cd ./frontend
-        yarn install
-        
-    - name: Test with vitest
-      run: |
-        cd ./frontend && yarn test --run
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18
+          cache: 'yarn'
+          cache-dependency-path: 'frontend/yarn.lock'
+
+      - name: Install dependencies
+        run: |
+          cd ./frontend
+          yarn install
+          
+      - name: Test with vitest
+        run: |
+          cd ./frontend && yarn test --run

From f64327df26557df3c8aeb3099e9265a8d5355463 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 13 May 2024 10:39:41 -0400
Subject: [PATCH 240/298] add missing env variables

---
 .github/workflows/deploy-production.yml | 3 ++-
 .github/workflows/deploy-staging.yml    | 3 ++-
 .github/workflows/validate.yml          | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 5d0178a9a..47c68d0ec 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -53,7 +53,7 @@ jobs:
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
       TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
       TF_VAR_app_env: ${{ vars.APP_ENV }}
-      TF_VAR_db_encrypted_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
+      TF_VAR_db_enc_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
       TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
       TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
       TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
@@ -62,6 +62,7 @@ jobs:
       TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
       TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
       TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
+      TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }}
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index bffb5cf20..dc33ff2a0 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -55,7 +55,7 @@ jobs:
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
       TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
       TF_VAR_app_env: ${{ vars.APP_ENV }}
-      TF_VAR_db_encrypted_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
+      TF_VAR_db_enc_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
       TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
       TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
       TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
@@ -64,6 +64,7 @@ jobs:
       TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
       TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
       TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
+      TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }}
     steps:
       - uses: actions/checkout@v4
 
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 1bef2be24..bb6a6be4d 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -49,7 +49,7 @@ jobs:
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
       TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
       TF_VAR_app_env: ${{ vars.APP_ENV }}
-      TF_VAR_db_encrypted_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
+      TF_VAR_db_enc_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
       TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
       TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
       TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
@@ -58,6 +58,7 @@ jobs:
       TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
       TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
       TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
+      TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }}
     steps:
       - uses: actions/checkout@v4
 

From 3d1431b6ddef4229b3d82b302fcf6c7f2efa3508 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 13 May 2024 10:40:22 -0400
Subject: [PATCH 241/298] add missing env variables

---
 .github/workflows/validate.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index bb6a6be4d..c18171a91 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -118,7 +118,6 @@ jobs:
 
       - name: backend-service
         working-directory: ./tofu/environments/stage/services/backend-service
-        continue-on-error: true
         run: |
           terragrunt init -upgrade
           terragrunt validate

From ca10bd70e8db20d39f343b11fa1faf0327d06405 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 13 May 2024 14:13:49 -0400
Subject: [PATCH 242/298] general cleanup

---
 .../backend-service/.terraform.lock.hcl       | 38 -------------------
 1 file changed, 38 deletions(-)
 delete mode 100644 tofu/environments/stage/services/backend-service/.terraform.lock.hcl

diff --git a/tofu/environments/stage/services/backend-service/.terraform.lock.hcl b/tofu/environments/stage/services/backend-service/.terraform.lock.hcl
deleted file mode 100644
index 280be643a..000000000
--- a/tofu/environments/stage/services/backend-service/.terraform.lock.hcl
+++ /dev/null
@@ -1,38 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.48.0"
-  constraints = ">= 5.46.0"
-  hashes = [
-    "h1:UL6B4QXA/ENh05gOYhJGAUWKvgVRhfmnzqQMobSEh9A=",
-    "zh:212b33b4270a4f20025dec83b181b0e8044ef382491e0c89ad07c64d6dfacff0",
-    "zh:2dd2dadd6fc8752edb6241bdac1bdd49ce64384527dc335a021d61d3870a0393",
-    "zh:3d449e369958ab3d0afe2db6be5de22061f8635fe176771c98af41a7f770f1b5",
-    "zh:3dd6ca9a102c6164683800d8b1b5def29a51d575b5223063961125de81cca136",
-    "zh:422586cf2ea78f8464c97b95f153acdc84b660b2eb474a100338e360593e2d84",
-    "zh:70ea10113b724cc69f83e2c1fd65d7d304aaf6bd9f6a45cd1622a5f36506690c",
-    "zh:84a48c4a7eb8498beb9f5d78bef5e58516e11a8df131042fb43d3dec62dc899b",
-    "zh:9724c095fb8d8d7695769a828e6cc0de95da264487c91af39a645713b293323c",
-    "zh:ad9117ef8c7fd8e26aab482a286aa2e641e4887d1816117caa1fd7eaff6a050c",
-    "zh:ff32af11624e5104fd4ddd38cecd1beb09da9a7be7f49b0d496080667882b90e",
-  ]
-}
-
-provider "registry.opentofu.org/hashicorp/random" {
-  version     = "3.6.1"
-  constraints = ">= 3.6.1"
-  hashes = [
-    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
-    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
-    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
-    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
-    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
-    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
-    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
-    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
-    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
-    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
-    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
-  ]
-}

From a0356e80573c54d5e9f05a661dd7005b09efa6de Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 13 May 2024 14:17:49 -0400
Subject: [PATCH 243/298] deployment test

---
 .github/workflows/deploy-staging.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index dc33ff2a0..18d36234c 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -8,6 +8,7 @@ on:
   push:
     branches:
       - main
+      - add-tf-iac
 
 permissions:
   id-token: write   # This is required for requesting the JWT

From 0283d85cd432006010113122fbe0624f4089026e Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 14 May 2024 09:39:53 -0400
Subject: [PATCH 244/298] initial release test

---
 .github/workflows/deploy-staging.yml | 57 +++++++++++++++++++++++++---
 1 file changed, 51 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 18d36234c..485cb4019 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -20,8 +20,7 @@ jobs:
     environment: staging
     outputs:
       deploy-iac: ${{ steps.check.outputs.deploy-iac }}
-      deploy-backend: ${{ steps.check.outputs.deploy-backend }}
-      deploy-frontend: ${{ steps.check.outputs.deploy-frontend }}
+      deploy-app: ${{ steps.check.outputs.deploy-app }}
     steps:
       - uses: actions/checkout@v4
 
@@ -37,8 +36,6 @@ jobs:
               - 'backend/**'
               - 'tofu/modules/services/backend-service/**'
               - 'tofu/environments/stage/services/backend-service/**'
-              - '.github/workflows/deploy-staging.yml'
-            deploy-frontend:
               - 'frontend/**'
               - 'tofu/modules/services/frontend-infra/**'
               - 'tofu/environments/stage/services/frontend-infra/**'
@@ -139,7 +136,7 @@ jobs:
     needs:
       - detect-changes
       - deploy-iac
-    if: needs.detect-changes.outputs.deploy-frontend == 'true'
+    if: needs.detect-changes.outputs.deploy-app == 'true'
     environment: staging
     runs-on: ubuntu-latest
     steps:
@@ -170,7 +167,18 @@ jobs:
           role-to-assume: ${{ secrets.IAM_ROLE }}
           role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Build frontend archive
+        run: |
+          zip -r frontend-${{ github.sha }}.zip frontend/dist
       
+      - name: Archive Frontend
+        uses: actions/upload-artifact@v4
+        with:
+          name: frontend-${{ github.sha }}
+          path: |
+            frontend-${{ github.sha }}.zip
+
       - name: Deploy frontend to S3
         run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
         
@@ -180,7 +188,7 @@ jobs:
     needs: 
       - detect-changes
       - deploy-iac
-    if: needs.detect-changes.outputs.deploy-backend == 'true'
+    if: needs.detect-changes.outputs.deploy-app == 'true'
     environment: staging
     runs-on: ubuntu-latest
     env:
@@ -245,3 +253,40 @@ jobs:
           terragrunt validate
           terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
           terragrunt apply tfplan
+
+  create-release:
+    needs:
+      - detect-changes
+      - deploy-backend
+      - deploy-frontend
+    if: needs.detect-changes.outputs.deploy-app == 'true'
+    environment: staging
+    runs-on: ubuntu-latest
+    steps:
+      - name: download artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: 
+            frontend-${{ github.sha }}
+          path:
+            frontend-${{ github.sha }}.zip
+
+      - name: create release tag
+        id: create-release-tag
+        run: echo "tag_name=r-$(printf %04d $GITHUB_RUN_NUMBER)" >> $GITHUB_OUTPUT
+
+      - name: create draft release
+        uses: softprops/action-gh-release@v2
+        with:
+          tag_name: ${{ steps.create-release-tag.outputs.tag_name }}
+          name: Release ${{ steps.create-release-tag.outputs.tag_name }}
+          body: |
+            ## Info
+            Commit ${{ github.sha }} was deployed to `staging`. [See code diff](${{ github.event.compare }}).
+
+            It was initialized by [${{ github.event.sender.login }}](${{ github.event.sender.html_url }}).
+
+            ## How to Promote?
+            In order to promote this to prod, edit the draft and press **"Publish release"**.
+          draft: true
+          files: frontend-${{ github.sha }}.zip

From 6370af30d0b2ea6b98870cfb1eb6a5085cf33d70 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 14 May 2024 09:49:31 -0400
Subject: [PATCH 245/298] initial release test

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 485cb4019..da74a67d9 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -32,7 +32,7 @@ jobs:
               - 'tofu/modules/**'
               - 'tofu/environments/stage/**'
               - '.github/workflows/deploy-staging.yml'
-            deploy-backend:
+            deploy-app:
               - 'backend/**'
               - 'tofu/modules/services/backend-service/**'
               - 'tofu/environments/stage/services/backend-service/**'

From bd40464382ec8f85f9b3d266471151e9ad0f39d6 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 14 May 2024 10:13:19 -0400
Subject: [PATCH 246/298] initial release tests

---
 .github/workflows/deploy-staging.yml | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index da74a67d9..1c5297d60 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -176,8 +176,7 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: frontend-${{ github.sha }}
-          path: |
-            frontend-${{ github.sha }}.zip
+          path: frontend-${{ github.sha }}.zip
 
       - name: Deploy frontend to S3
         run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
@@ -264,12 +263,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: download artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: 
             frontend-${{ github.sha }}
-          path:
-            frontend-${{ github.sha }}.zip
 
       - name: create release tag
         id: create-release-tag

From 99306e86a8ae0a160820e1f5048b78ac78345665 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 14 May 2024 10:29:24 -0400
Subject: [PATCH 247/298] initial release tests

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 1c5297d60..c763f95cf 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -12,7 +12,7 @@ on:
 
 permissions:
   id-token: write   # This is required for requesting the JWT
-  contents: read    # This is required for actions/checkout
+  contents: write    # This is required for actions/checkout
 
 jobs:
   detect-changes:

From f71c4b2449f7ff8fad6a24f014be1b5c9674bace Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 09:12:55 -0400
Subject: [PATCH 248/298] release test

---
 .github/workflows/deploy-production.yml       | 302 ++++++------------
 .github/workflows/deploy-staging.yml          |  23 +-
 .../services/backend-service/terragrunt.hcl   |  26 +-
 .../stage/data-store/database/terragrunt.hcl  |   4 +-
 .../services/backend-service/terragrunt.hcl   |  28 +-
 tofu/environments/terragrunt.hcl              |   4 +-
 tofu/modules/data-store/cache/main.tf         |  15 +
 tofu/modules/data-store/cache/variables.tf    |   5 +
 8 files changed, 175 insertions(+), 232 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 47c68d0ec..1dbc555b4 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -5,125 +5,95 @@ concurrency:
   cancel-in-progress: true
 
 on:
-  workflow_dispatch
+  release:
+    types: [published]
 
 permissions:
   id-token: write   # This is required for requesting the JWT
   contents: read    # This is required for actions/checkout
 
 jobs:
-  detect-changes:
-    runs-on: ubuntu-latest
-    environment: production
-    outputs:
-      deploy-iac: ${{ steps.check.outputs.deploy-iac }}
-      deploy-backend: ${{ steps.check.outputs.deploy-backend }}
-      deploy-frontend: ${{ steps.check.outputs.deploy-frontend }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: dorny/paths-filter@v3
-        id: check
-        with:
-          filters: |
-            deploy-iac:
-              - 'tofu/modules/**'
-              - 'tofu/environments/stage/**'
-              - '.github/workflows/deploy-production.yml'
-            deploy-backend:
-              - 'backend/**'
-              - 'tofu/modules/services/backend-service/**'
-              - 'tofu/environments/stage/services/backend-service/**'
-              - '.github/workflows/deploy-production.yml'
-            deploy-frontend:
-              - 'frontend/**'
-              - 'tofu/modules/services/frontend-infra/**'
-              - 'tofu/environments/stage/services/frontend-infra/**'
-              - '.github/workflows/deploy-production.yml'
-
   deploy-iac:
-    needs: detect-changes
-    if: needs.detect-changes.outputs.deploy-iac == 'true'
     environment: production
     runs-on: ubuntu-latest
     outputs:
       bucket: ${{ steps.output-bucket-name.outputs.bucket }}
-    env:
-      TF_VAR_region: ${{ vars.AWS_REGION }}
-      TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
-      TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
-      TF_VAR_app_env: ${{ vars.APP_ENV }}
-      TF_VAR_db_enc_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
-      TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
-      TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
-      TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
-      TF_VAR_log_level: ${{ vars.LOG_LEVEL }}
-      TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }}
-      TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
-      TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
-      TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
-      TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }}
+#    env:
+#      TF_VAR_region: ${{ vars.AWS_REGION }}
+#      TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
+#      TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
+#      TF_VAR_app_env: ${{ vars.APP_ENV }}
+#      TF_VAR_db_enc_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
+#      TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
+#      TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
+#      TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
+#      TF_VAR_log_level: ${{ vars.LOG_LEVEL }}
+#      TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }}
+#      TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
+#      TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
+#      TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
+#      TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }}
     steps:
-      - uses: actions/checkout@v4
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.IAM_ROLE }}
-          role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
-          aws-region: ${{ vars.AWS_REGION }}
-
-      - name: install opentofu
-        uses: opentofu/setup-opentofu@v1
-        with: 
-          tofu_version: ${{ vars.TF_VERSION }}
-          tofu_wrapper: false
-
-      - name: install terragrunt
-        run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
-          sudo chmod +x /bin/terragrunt
-          terragrunt -v
-
-      - name: vpc
-        working-directory: ./tofu/environments/stage/network/vpc
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-
-      - name: backend-infra
-        working-directory: ./tofu/environments/stage/services/backend-infra
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-
-      - name: cache
-        working-directory: ./tofu/environments/stage/data-store/cache
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-
-      - name: database
-        working-directory: ./tofu/environments/stage/data-store/database
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
-          
-      - name: frontend-infra
-        working-directory: ./tofu/environments/stage/services/frontend-infra
-        run: |
-          terragrunt init -upgrade
-          terragrunt validate
-          terragrunt plan -out tfplan
-          terragrunt apply tfplan
+#      - uses: actions/checkout@v4
+#
+#      - name: Configure AWS credentials
+#        uses: aws-actions/configure-aws-credentials@v4
+#        with:
+#          role-to-assume: ${{ secrets.IAM_ROLE }}
+#          role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+#          aws-region: ${{ vars.AWS_REGION }}
+#
+#      - name: install opentofu
+#        uses: opentofu/setup-opentofu@v1
+#        with: 
+#          tofu_version: ${{ vars.TF_VERSION }}
+#          tofu_wrapper: false
+#
+#      - name: install terragrunt
+#        run: |
+#          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+#          sudo chmod +x /bin/terragrunt
+#          terragrunt -v
+#
+#      - name: vpc
+#        working-directory: ./tofu/environments/stage/network/vpc
+#        run: |
+#          terragrunt init -upgrade
+#          terragrunt validate
+#          terragrunt plan -out tfplan
+#          terragrunt apply tfplan
+#
+#      - name: backend-infra
+#        working-directory: ./tofu/environments/stage/services/backend-infra
+#        run: |
+#          terragrunt init -upgrade
+#          terragrunt validate
+#          terragrunt plan -out tfplan
+#          terragrunt apply tfplan
+#
+#      - name: cache
+#        working-directory: ./tofu/environments/stage/data-store/cache
+#        run: |
+#          terragrunt init -upgrade
+#          terragrunt validate
+#          terragrunt plan -out tfplan
+#          terragrunt apply tfplan
+#
+#      - name: database
+#        working-directory: ./tofu/environments/stage/data-store/database
+#        run: |
+#          terragrunt init -upgrade
+#          terragrunt validate
+#          terragrunt plan -out tfplan
+#          terragrunt apply tfplan
+#          
+#      - name: frontend-infra
+#        working-directory: ./tofu/environments/stage/services/frontend-infra
+#        run: |
+#          terragrunt init -upgrade
+#          terragrunt validate
+#          terragrunt plan -out tfplan
+#          terragrunt apply tfplan
 
       - name: output-bucket-name
         id: output-bucket-name
@@ -132,69 +102,33 @@ jobs:
           output=$(terragrunt output bucket_name | tr -d '"')
           echo bucket=$output >> $GITHUB_OUTPUT
 
-  deploy-frontend:
-    needs:
-      - detect-changes
-      - deploy-iac
-    if: needs.detect-changes.outputs.deploy-frontend == 'true'
+  release-production:
+    name: Release to Production
+    needs: deploy-iac
+    if: startsWith(github.ref_name, 'r-') # the prefix we have added to the tag
     environment: production
     runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
+    permissions:
+      id-token: write
+      contents: read
 
-      - name: Setup NPM
-        uses: actions/setup-node@v4
+    steps:
+      - name: Get Artifact from Release
+        uses: dsaltares/fetch-gh-release-asset@master
         with:
-          node-version: '18.x'
-
-      - name: Install dependencies
-        run: cd frontend && yarn install
+          version: ${{ github.event.release.id }}
+          file: frontend.zip
 
-      - name: Build project
-        run: |
-          cp frontend/.env.prod.example frontend/.env.prod
-          cd frontend && yarn build --mode ${{ vars.APP_ENV }}
+      - name: Unzip Artifact
+        run: unzip frontend.zip
 
-      - name: Install AWS CLI
-        uses: unfor19/install-aws-cli-action@v1
-        with:
-          version: 2
-          arch: amd64
-
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - name: Get ECR tag from Release
+        id: get_ecr_tag
+        uses: dsaltares/fetch-gh-release-asset@master
         with:
-          role-to-assume: ${{ secrets.IAM_ROLE }}
-          role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
-          aws-region: ${{ vars.AWS_REGION }}
-      
-      - name: Deploy frontend to S3
-        run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
-
-  deploy-backend:
-    needs:
-      - detect-changes
-      - deploy-iac
-    if: needs.detect-changes.outputs.deploy-backend == 'true'
-    environment: production
-    runs-on: ubuntu-latest
-    env:
-      TF_VAR_region: ${{ vars.AWS_REGION }}
-      TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
-      TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}"
-      TF_VAR_app_env: ${{ vars.APP_ENV }}
-      TF_VAR_db_enc_secret: ${{ vars.DB_ENCRYPTED_SECRET }}
-      TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }}
-      TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }}
-      TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }}
-      TF_VAR_log_level: ${{ vars.LOG_LEVEL }}
-      TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }}
-      TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }}
-      TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }}
-      TF_VAR_zoom_secret: ${{ vars.ZOOM_SECRET }}
-      TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }}
-    steps:
-      - uses: actions/checkout@v4
+          version: ${{ github.event.release.id }}
+          file: ecr_tag.txt
+          target: ./tofu/environments/stage/services/backend-service
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -203,40 +137,14 @@ jobs:
           role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{ vars.AWS_REGION }}
 
-      - name: install opentofu
-        uses: opentofu/setup-opentofu@v1
-        with: 
-          tofu_version: ${{ vars.TF_VERSION }}
-          tofu_wrapper: false
-
-      - name: install terragrunt
-        run: |
-          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
-          sudo chmod +x /bin/terragrunt
-          terragrunt -v
-
-      - name: Login to Amazon ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
-        with:
-          mask-password: 'true'
-
-      - name: Build, tag, and push backend image to Amazon ECR
-        id: build-backend
-        env:
-          ECR_TAG: '${{ steps.login-ecr.outputs.registry }}/${{ vars.PROJECT }}:backend-${{ github.sha }}'
-        run: |
-          # Build a docker container and
-          # push it to ECR so that it can
-          # be deployed to ECS.
-          docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
-          docker push $ECR_TAG
-          echo "image_backend=$ECR_TAG" >> $GITHUB_OUTPUT
-
-      - name: backend-service
-        working-directory: ./tofu/environments/prod/services/backend-service
+      - name: Deploy Backend
+        working-directory: ./tofu/environments/stage/services/backend-service
         run: |
           terragrunt init -upgrade
           terragrunt validate
-          terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}' -out tfplan
-          terragrunt apply tfplan
+          terragrunt plan -var "image=$(cat steps.get_ecr_tag.outputs.*)" -out tfplan
+          cat tfplan
+#          terragrunt apply tfplan
+
+#      - name: Deploy frontend to S3
+#        run: aws s3 sync ./frontend/frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
\ No newline at end of file
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index c763f95cf..1fa3ead16 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -175,8 +175,8 @@ jobs:
       - name: Archive Frontend
         uses: actions/upload-artifact@v4
         with:
-          name: frontend-${{ github.sha }}
-          path: frontend-${{ github.sha }}.zip
+          name: frontend
+          path: frontend.zip
 
       - name: Deploy frontend to S3
         run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
@@ -244,6 +244,13 @@ jobs:
           docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
           docker push $ECR_TAG
           echo "image_backend=$ECR_TAG" >> $GITHUB_OUTPUT
+          echo $ECR_TAG | cat ecr_tag.txt
+
+      - name: Archive ECR tag
+        uses: actions/upload-artifact@v4
+        with:
+          name: ecr_tag
+          path: ecr_tag.txt
 
       - name: deploy backend-service
         working-directory: ./tofu/environments/stage/services/backend-service
@@ -266,7 +273,13 @@ jobs:
         uses: actions/download-artifact@v4
         with:
           name: 
-            frontend-${{ github.sha }}
+            frontend
+
+      - name: download ecr tag
+        uses: actions/download-artifact@v4
+        with:
+            name: 
+              ecr_tag.txt
 
       - name: create release tag
         id: create-release-tag
@@ -286,4 +299,6 @@ jobs:
             ## How to Promote?
             In order to promote this to prod, edit the draft and press **"Publish release"**.
           draft: true
-          files: frontend-${{ github.sha }}.zip
+          files: |
+            frontend.zip
+            ecr_tag.txt
diff --git a/tofu/environments/prod/services/backend-service/terragrunt.hcl b/tofu/environments/prod/services/backend-service/terragrunt.hcl
index 7c24f02f7..f66551520 100644
--- a/tofu/environments/prod/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/prod/services/backend-service/terragrunt.hcl
@@ -53,10 +53,10 @@ dependency "cache" {
 }
 
 locals {
-  environment = get_env("TF_VAR_environment")
-  name_prefix = get_env("TF_VAR_name_prefix")
-  region      = get_env("TF_VAR_region")
-  short_name = include.root.locals.short_name
+  environment      = get_env("TF_VAR_environment")
+  name_prefix      = get_env("TF_VAR_name_prefix")
+  region           = get_env("TF_VAR_region")
+  short_name       = include.root.locals.short_name
   project_tags     = include.root.locals.tags
   environment_tags = include.env.locals.tags
   tags             = "${merge(local.project_tags, local.environment_tags)}"
@@ -71,18 +71,18 @@ inputs = {
   security_group      = dependency.backend-infra.outputs.security_group_id
   ecs_cluster         = dependency.backend-infra.outputs.cluster_id
   task_execution_role = dependency.vpc.outputs.ecs_execution_role
-  frontend_url        = get_env("TF_VAR_frontend_url")   
-  short_base_url      = get_env("TF_VAR_short_base_url") 
-  app_env             = get_env("TF_VAR_app_env")        
-  sentry_dsn          = get_env("TF_VAR_sentry_dsn")     
-  zoom_auth_callback  = get_env("TF_VAR_zoom_callback")  
+  frontend_url        = get_env("TF_VAR_frontend_url")
+  short_base_url      = get_env("TF_VAR_short_base_url")
+  app_env             = get_env("TF_VAR_app_env")
+  sentry_dsn          = get_env("TF_VAR_sentry_dsn")
+  zoom_auth_callback  = get_env("TF_VAR_zoom_callback")
   short_name          = local.short_name
   database_secret     = dependency.database.outputs.db_secret
-  db_enc_secret       = get_env("TF_VAR_db_enc_secret")  
-  smtp_secret         = get_env("TF_VAR_smtp_secret")    
+  db_enc_secret       = get_env("TF_VAR_db_enc_secret")
+  smtp_secret         = get_env("TF_VAR_smtp_secret")
   google_oauth_secret = get_env("TF_VAR_google_oauth_secret")
-  zoom_secret         = get_env("TF_VAR_zoom_secret")        
-  fxa_secret          = get_env("TF_VAR_fxa_secret")         
+  zoom_secret         = get_env("TF_VAR_zoom_secret")
+  fxa_secret          = get_env("TF_VAR_fxa_secret")
   redis_endpoint      = dependency.cache.outputs.endpoint
   log_level           = get_env("TF_VAR_log_level")
   tags                = local.tags
diff --git a/tofu/environments/stage/data-store/database/terragrunt.hcl b/tofu/environments/stage/data-store/database/terragrunt.hcl
index 779a2c4d0..474f1c1ca 100644
--- a/tofu/environments/stage/data-store/database/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/database/terragrunt.hcl
@@ -19,7 +19,7 @@ dependency "vpc" {
   mock_outputs = {
     vpc_id                = "mock_vpc_id"
     database_subnet_group = "mock_subnet_group"
-    database_subnets = []
+    database_subnets      = []
 
   }
 }
@@ -58,7 +58,7 @@ inputs = {
   region                     = local.region
   vpc                        = dependency.vpc.outputs.vpc_id
   subnet_group               = local.name_prefix //dependency.vpc.outputs.database_subnet_group
-  database_subnets = dependency.vpc.outputs.database_subnets
+  database_subnets           = dependency.vpc.outputs.database_subnets
   elasticache_security_group = dependency.cache.outputs.security_group_id
   backend_security_group     = dependency.backend.outputs.security_group_id
   database_secret            = "arn:aws:secretsmanager:us-east-1:768512802988:secret:tb-apmt-stage-db-secret-V0syHj"
diff --git a/tofu/environments/stage/services/backend-service/terragrunt.hcl b/tofu/environments/stage/services/backend-service/terragrunt.hcl
index 0c7ca83c9..2a2243204 100644
--- a/tofu/environments/stage/services/backend-service/terragrunt.hcl
+++ b/tofu/environments/stage/services/backend-service/terragrunt.hcl
@@ -53,11 +53,11 @@ dependency "cache" {
 }
 
 locals {
-  environment = get_env("TF_VAR_environment")
-  name_prefix = get_env("TF_VAR_name_prefix")
-  region      = get_env("TF_VAR_region")
-  project     = include.root.locals.project
-  short_name = include.root.locals.short_name
+  environment      = get_env("TF_VAR_environment")
+  name_prefix      = get_env("TF_VAR_name_prefix")
+  region           = get_env("TF_VAR_region")
+  project          = include.root.locals.project
+  short_name       = include.root.locals.short_name
   project_tags     = include.root.locals.tags
   environment_tags = include.env.locals.tags
   tags             = "${merge(local.project_tags, local.environment_tags)}"
@@ -72,18 +72,18 @@ inputs = {
   security_group      = dependency.backend-infra.outputs.security_group_id
   ecs_cluster         = dependency.backend-infra.outputs.cluster_id
   task_execution_role = dependency.vpc.outputs.ecs_execution_role
-  frontend_url        = get_env("TF_VAR_frontend_url")   
-  short_base_url      = get_env("TF_VAR_short_base_url") 
-  app_env             = get_env("TF_VAR_app_env")        
-  sentry_dsn          = get_env("TF_VAR_sentry_dsn")     
-  zoom_auth_callback  = get_env("TF_VAR_zoom_callback")  
+  frontend_url        = get_env("TF_VAR_frontend_url")
+  short_base_url      = get_env("TF_VAR_short_base_url")
+  app_env             = get_env("TF_VAR_app_env")
+  sentry_dsn          = get_env("TF_VAR_sentry_dsn")
+  zoom_auth_callback  = get_env("TF_VAR_zoom_callback")
   short_name          = local.short_name
   database_secret     = dependency.database.outputs.db_secret
-  db_enc_secret       = get_env("TF_VAR_db_enc_secret")       
-  smtp_secret         = get_env("TF_VAR_smtp_secret")         
-  google_oauth_secret = get_env("TF_VAR_google_oauth_secret") 
+  db_enc_secret       = get_env("TF_VAR_db_enc_secret")
+  smtp_secret         = get_env("TF_VAR_smtp_secret")
+  google_oauth_secret = get_env("TF_VAR_google_oauth_secret")
   zoom_secret         = get_env("TF_VAR_zoom_secret")
-  fxa_secret          = get_env("TF_VAR_fxa_secret") 
+  fxa_secret          = get_env("TF_VAR_fxa_secret")
   log_level           = get_env("TF_VAR_log_level")
   redis_endpoint      = dependency.cache.outputs.endpoint
   tags                = local.tags
diff --git a/tofu/environments/terragrunt.hcl b/tofu/environments/terragrunt.hcl
index d790f82e2..652cd06ea 100644
--- a/tofu/environments/terragrunt.hcl
+++ b/tofu/environments/terragrunt.hcl
@@ -6,8 +6,8 @@ terragrunt_version_constraint = ">= 0.55.15"
 locals {
   project_vars = yamldecode(file("project_vars.yaml"))
 
-  project    = local.project_vars.project
-  short_name = local.project_vars.short_name
+  project     = local.project_vars.project
+  short_name  = local.project_vars.short_name
   name_prefix = get_env("TF_VAR_name_prefix")
   region      = get_env("TF_VAR_region")
 
diff --git a/tofu/modules/data-store/cache/main.tf b/tofu/modules/data-store/cache/main.tf
index 6efa74c90..ae2938aa9 100644
--- a/tofu/modules/data-store/cache/main.tf
+++ b/tofu/modules/data-store/cache/main.tf
@@ -36,3 +36,18 @@ resource "aws_vpc_security_group_ingress_rule" "ingress" {
     Name = "${var.name_prefix}-redis"
   })
 }
+
+resource "aws_vpc_security_group_egress_rule" "egress" {
+  for_each = toset(var.database_subnet_cidrs)
+
+  security_group_id = aws_security_group.redis.id
+  description                  = "mysql(3306) to DB"
+  from_port                    = 3306
+  to_port                      = 3306
+  ip_protocol                  = "tcp"
+  cidr_ipv4                    = each.key
+
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-redis"
+  })
+}
diff --git a/tofu/modules/data-store/cache/variables.tf b/tofu/modules/data-store/cache/variables.tf
index 1c38bfbc6..1ebb06499 100644
--- a/tofu/modules/data-store/cache/variables.tf
+++ b/tofu/modules/data-store/cache/variables.tf
@@ -23,4 +23,9 @@ variable "source_security_groups" {
   type        = list(any)
 }
 
+variable "database_subnet_cidrs" {
+  description = "Database subnet CIDRs"
+  type        = list(any)
+}
+
 

From 78e9a6329a671224a2ad3bd47d96170167a8273a Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 09:16:55 -0400
Subject: [PATCH 249/298] release test

---
 tofu/environments/stage/data-store/cache/terragrunt.hcl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tofu/environments/stage/data-store/cache/terragrunt.hcl b/tofu/environments/stage/data-store/cache/terragrunt.hcl
index c7d578ca3..352011bcd 100644
--- a/tofu/environments/stage/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/cache/terragrunt.hcl
@@ -47,5 +47,6 @@ inputs = {
   vpc                    = dependency.vpc.outputs.vpc_id
   subnets                = dependency.vpc.outputs.database_subnets
   source_security_groups = [dependency.backend.outputs.security_group_id]
+  database_subnet_cidrs  = dependency.vpc.outputs.database_subnet_cidrs
   tags                   = local.tags
 }
\ No newline at end of file

From e86b81db4b71140e9c31498be7f4ea003b272be0 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 09:37:56 -0400
Subject: [PATCH 250/298] release test

---
 .github/workflows/deploy-staging.yml                    | 2 +-
 tofu/environments/prod/data-store/cache/terragrunt.hcl  | 4 +++-
 tofu/environments/stage/data-store/cache/terragrunt.hcl | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 1fa3ead16..391cf1b9c 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -244,7 +244,7 @@ jobs:
           docker build -t $ECR_TAG ./backend -f ./backend/deploy.dockerfile
           docker push $ECR_TAG
           echo "image_backend=$ECR_TAG" >> $GITHUB_OUTPUT
-          echo $ECR_TAG | cat ecr_tag.txt
+          echo $ECR_TAG > ecr_tag.txt
 
       - name: Archive ECR tag
         uses: actions/upload-artifact@v4
diff --git a/tofu/environments/prod/data-store/cache/terragrunt.hcl b/tofu/environments/prod/data-store/cache/terragrunt.hcl
index c7d578ca3..0fe750d09 100644
--- a/tofu/environments/prod/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/prod/data-store/cache/terragrunt.hcl
@@ -18,7 +18,8 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
-    database_subnets       = ["subnet-mocksubnet1234567"]
+    subnets = ["subnet-mocksubnet1234567"]
+    database_subnet_cidrs       = ["subnet-mocksubnet1234567"]
     source_security_groups = ["sg-mocksecuritygroup"]
   }
 }
@@ -47,5 +48,6 @@ inputs = {
   vpc                    = dependency.vpc.outputs.vpc_id
   subnets                = dependency.vpc.outputs.database_subnets
   source_security_groups = [dependency.backend.outputs.security_group_id]
+  database_subnet_cidrs  = dependency.vpc.outputs.database_subnet_cidrs
   tags                   = local.tags
 }
\ No newline at end of file
diff --git a/tofu/environments/stage/data-store/cache/terragrunt.hcl b/tofu/environments/stage/data-store/cache/terragrunt.hcl
index 352011bcd..0fe750d09 100644
--- a/tofu/environments/stage/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/cache/terragrunt.hcl
@@ -18,7 +18,8 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
-    database_subnets       = ["subnet-mocksubnet1234567"]
+    subnets = ["subnet-mocksubnet1234567"]
+    database_subnet_cidrs       = ["subnet-mocksubnet1234567"]
     source_security_groups = ["sg-mocksecuritygroup"]
   }
 }

From a20aedbc7962309a2fcecc634991d7df204bdbda Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 09:45:52 -0400
Subject: [PATCH 251/298] release test

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 391cf1b9c..8f734d7a8 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -170,7 +170,7 @@ jobs:
 
       - name: Build frontend archive
         run: |
-          zip -r frontend-${{ github.sha }}.zip frontend/dist
+          zip -r frontend.zip frontend/dist
       
       - name: Archive Frontend
         uses: actions/upload-artifact@v4

From 3d3c15080a8b88cb3c44500b686911b1671945ff Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 10:01:18 -0400
Subject: [PATCH 252/298] release test

---
 .github/workflows/deploy-production.yml |  4 ++++
 .github/workflows/deploy-staging.yml    | 14 +++++++-------
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 1dbc555b4..763ae9438 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -129,6 +129,10 @@ jobs:
           version: ${{ github.event.release.id }}
           file: ecr_tag.txt
           target: ./tofu/environments/stage/services/backend-service
+      
+      - name: Unzip ECR tag
+        working-directory: ./tofu/environments/stage/services/backend-service
+        run: unzip ecr_tag.zip
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 8f734d7a8..57cacb77b 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -168,15 +168,15 @@ jobs:
           role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{ vars.AWS_REGION }}
 
-      - name: Build frontend archive
-        run: |
-          zip -r frontend.zip frontend/dist
-      
+#      - name: Build frontend archive
+#        run: |
+#          zip -r frontend.zip frontend/dist
+#      
       - name: Archive Frontend
         uses: actions/upload-artifact@v4
         with:
           name: frontend
-          path: frontend.zip
+          path: frontend/dist
 
       - name: Deploy frontend to S3
         run: aws s3 sync frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
@@ -279,7 +279,7 @@ jobs:
         uses: actions/download-artifact@v4
         with:
             name: 
-              ecr_tag.txt
+              ecr_tag
 
       - name: create release tag
         id: create-release-tag
@@ -301,4 +301,4 @@ jobs:
           draft: true
           files: |
             frontend.zip
-            ecr_tag.txt
+            ecr_tag.zip

From 491eafb1cdd474d71578d74164337dd72ee31fed Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 11:16:31 -0400
Subject: [PATCH 253/298] release test

---
 .github/workflows/deploy-production.yml | 40 ++++++++++++-------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 763ae9438..d006fdbba 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -34,26 +34,26 @@ jobs:
 #      TF_VAR_zoom_secret: ${{ vars.zoom_secret }}
 #      TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }}
     steps:
-#      - uses: actions/checkout@v4
-#
-#      - name: Configure AWS credentials
-#        uses: aws-actions/configure-aws-credentials@v4
-#        with:
-#          role-to-assume: ${{ secrets.IAM_ROLE }}
-#          role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
-#          aws-region: ${{ vars.AWS_REGION }}
-#
-#      - name: install opentofu
-#        uses: opentofu/setup-opentofu@v1
-#        with: 
-#          tofu_version: ${{ vars.TF_VERSION }}
-#          tofu_wrapper: false
-#
-#      - name: install terragrunt
-#        run: |
-#          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
-#          sudo chmod +x /bin/terragrunt
-#          terragrunt -v
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE }}
+          role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: install opentofu
+        uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{ vars.TF_VERSION }}
+          tofu_wrapper: false
+
+      - name: install terragrunt
+        run: |
+          sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
+          sudo chmod +x /bin/terragrunt
+          terragrunt -v
 #
 #      - name: vpc
 #        working-directory: ./tofu/environments/stage/network/vpc

From 342680306be6ba61fbb8da6fb549eb5f7eb5d844 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 12:53:58 -0400
Subject: [PATCH 254/298] fixing container permissions

---
 tofu/modules/network/vpc/main.tf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tofu/modules/network/vpc/main.tf b/tofu/modules/network/vpc/main.tf
index 50d191480..4c1010e30 100644
--- a/tofu/modules/network/vpc/main.tf
+++ b/tofu/modules/network/vpc/main.tf
@@ -132,8 +132,7 @@ resource "aws_iam_policy" "appointment_secrets_policy" {
                 "secretsmanager:GetSecretValue"
             ],
             "Resource": [
-              "arn:aws:secretsmanager:${var.region}:768512802988:secret:staging/appointment/*",
-              "arn:aws:secretsmanager:${var.region}:768512802988:secret:${var.name_prefix}-db-secret-*"
+              "arn:aws:secretsmanager:${var.region}:768512802988:secret:${var.name_prefix}-*"
             ]
         }
     ]

From 88f10ce3ca14e8e6ff6be902b0ee781742643c7d Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 13:08:31 -0400
Subject: [PATCH 255/298] removed unnecessary quotes

---
 tofu/modules/services/backend-service/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index 3fc8800f8..66ed96f41 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -72,7 +72,7 @@ resource "aws_ecs_task_definition" "backend" {
         },
         {
           "name" : "LOG_LEVEL",
-          "value" : "var.log_level"
+          "value" : var.log_level
         },
         {
           "name" : "APP_ENV",

From 7f8c221d09acc9350c0f03dc9dc4f1d0cea49888 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 13:29:42 -0400
Subject: [PATCH 256/298] deployment test

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 57cacb77b..fa41de8b3 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -171,7 +171,7 @@ jobs:
 #      - name: Build frontend archive
 #        run: |
 #          zip -r frontend.zip frontend/dist
-#      
+      
       - name: Archive Frontend
         uses: actions/upload-artifact@v4
         with:

From f21f6e4a36bf039cd7f04a5b9c3c0918259cf86b Mon Sep 17 00:00:00 2001
From: Melissa Autumn <melissa@thunderbird.net>
Date: Thu, 16 May 2024 10:43:38 -0700
Subject: [PATCH 257/298] Swap env example: staging -> stage

---
 frontend/{.env.staging.example => .env.stage.example} | 0
 frontend/deploy.dockerfile                            | 6 +++---
 2 files changed, 3 insertions(+), 3 deletions(-)
 rename frontend/{.env.staging.example => .env.stage.example} (100%)

diff --git a/frontend/.env.staging.example b/frontend/.env.stage.example
similarity index 100%
rename from frontend/.env.staging.example
rename to frontend/.env.stage.example
diff --git a/frontend/deploy.dockerfile b/frontend/deploy.dockerfile
index 8aa183c14..10f573074 100644
--- a/frontend/deploy.dockerfile
+++ b/frontend/deploy.dockerfile
@@ -3,8 +3,8 @@ FROM nginx:stable
 # Copy over files
 COPY . /build/frontend
 
-# Copy over the staging config
-RUN mv /build/frontend/.env.staging.example /build/frontend/.env.staging
+# Copy over the stage config
+RUN mv /build/frontend/.env.stage.example /build/frontend/.env.stage
 
 # Add Node 18 support
 RUN apt-get update
@@ -19,7 +19,7 @@ RUN npm install --global yarn
 
 # Build site
 RUN cd /build/frontend && yarn install
-RUN cd /build/frontend && yarn build --mode staging
+RUN cd /build/frontend && yarn build --mode stage
 
 # Use our custom nginx config
 RUN rm /etc/nginx/conf.d/default.conf

From 404376d927d714822099d3e23062140b8c8dcb86 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 13:50:27 -0400
Subject: [PATCH 258/298] staging -> stage

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index fa41de8b3..9907a3cab 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -152,7 +152,7 @@ jobs:
 
       - name: Build project
         run: |
-          cp frontend/.env.staging.example frontend/.env.staging
+          cp frontend/.env.stage.example frontend/.env.staging
           cd frontend && yarn build --mode ${{ vars.APP_ENV }}
 
       - name: Install AWS CLI

From ba834e266c94609dde4a4a7fe4b41844fb3cd44b Mon Sep 17 00:00:00 2001
From: Melissa Autumn <melissa@thunderbird.net>
Date: Thu, 16 May 2024 11:15:37 -0700
Subject: [PATCH 259/298] staging -> stage pt2.

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 9907a3cab..49c36eed8 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -152,7 +152,7 @@ jobs:
 
       - name: Build project
         run: |
-          cp frontend/.env.stage.example frontend/.env.staging
+          cp frontend/.env.stage.example frontend/.env.stage
           cd frontend && yarn build --mode ${{ vars.APP_ENV }}
 
       - name: Install AWS CLI

From 98c69678d82981afa066c7e98adf63314f13eca4 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 14:27:49 -0400
Subject: [PATCH 260/298] staging -> stage

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 49c36eed8..24a97e4cb 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -171,7 +171,7 @@ jobs:
 #      - name: Build frontend archive
 #        run: |
 #          zip -r frontend.zip frontend/dist
-      
+#      
       - name: Archive Frontend
         uses: actions/upload-artifact@v4
         with:

From fb0d73b25d572fd0ede7a651898af57b7377d139 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 15:32:59 -0400
Subject: [PATCH 261/298] testing redis serveless connection

---
 tofu/modules/services/backend-service/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index 66ed96f41..e13885605 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -108,7 +108,7 @@ resource "aws_ecs_task_definition" "backend" {
         },
         {
           "name": "REDIS_URL",
-          "value": var.redis_endpoint
+          "value": "master.${var.redis_endpoint}"
         },
         {
           "name": "REDIS_PORT",

From 19a1793570ca920d8491f8a10b44e7a61853821b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 15:56:18 -0400
Subject: [PATCH 262/298] testing redis serveless connection

---
 tofu/modules/services/backend-service/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index e13885605..aef019ccc 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -108,7 +108,7 @@ resource "aws_ecs_task_definition" "backend" {
         },
         {
           "name": "REDIS_URL",
-          "value": "master.${var.redis_endpoint}"
+          "value": ${var.redis_endpoint}
         },
         {
           "name": "REDIS_PORT",

From 414e838aeca4206b8ecd37bda974ffd2e87d6e13 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 16 May 2024 16:01:55 -0400
Subject: [PATCH 263/298] testing redis serveless connection

---
 tofu/modules/services/backend-service/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index aef019ccc..66ed96f41 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -108,7 +108,7 @@ resource "aws_ecs_task_definition" "backend" {
         },
         {
           "name": "REDIS_URL",
-          "value": ${var.redis_endpoint}
+          "value": var.redis_endpoint
         },
         {
           "name": "REDIS_PORT",

From 97523d90a68257f179baed7dd6f2cf5b400361ff Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Fri, 17 May 2024 10:12:08 -0400
Subject: [PATCH 264/298] testing updated secret names

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 24a97e4cb..efa86d480 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -292,7 +292,7 @@ jobs:
           name: Release ${{ steps.create-release-tag.outputs.tag_name }}
           body: |
             ## Info
-            Commit ${{ github.sha }} was deployed to `staging`. [See code diff](${{ github.event.compare }}).
+            Commit ${{ github.sha }} was deployed to `stage`. [See code diff](${{ github.event.compare }}).
 
             It was initialized by [${{ github.event.sender.login }}](${{ github.event.sender.html_url }}).
 

From 826e0112f8649cc7bb694bfd7b7c6f1826acc3a1 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 21 Mar 2024 09:16:28 -0400
Subject: [PATCH 265/298] initial commit

---
 .../data-store/cache/.terraform.lock.hcl      |  19 ++
 .../data-store/cache/terragrunt.hcl           |  51 +++++
 .../data-store/database/.terraform.lock.hcl   |  38 ++++
 .../data-store/database/terragrunt.hcl        |  63 ++++++
 tofu/environments/production/environment.hcl  |  10 +
 .../production/environment_vars.yaml          |   4 +
 .../network/vpc/.terraform.lock.hcl           |  20 ++
 .../production/network/vpc/terragrunt.hcl     |  31 +++
 .../services/backend/.terraform.lock.hcl      |  20 ++
 .../services/backend/terragrunt.hcl           |  50 +++++
 .../services/frontend/.terraform.lock.hcl     |  19 ++
 .../services/frontend/terragrunt.hcl          |  46 ++++
 .../terraform/tfbackend/.terraform.lock.hcl   |  19 ++
 .../terraform/tfbackend/terragrunt.hcl        |  28 +++
 .../services/backend/.terraform.lock.hcl      |  20 ++
 .../stage/services/backend/terragrunt.hcl     |  50 +++++
 tofu/modules/services/backend/main.tf         | 206 ++++++++++++++++++
 tofu/modules/services/backend/outputs.tf      |  11 +
 tofu/modules/services/backend/variables.tf    |  49 +++++
 19 files changed, 754 insertions(+)
 create mode 100644 tofu/environments/production/data-store/cache/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/data-store/cache/terragrunt.hcl
 create mode 100644 tofu/environments/production/data-store/database/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/data-store/database/terragrunt.hcl
 create mode 100644 tofu/environments/production/environment.hcl
 create mode 100644 tofu/environments/production/environment_vars.yaml
 create mode 100644 tofu/environments/production/network/vpc/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/network/vpc/terragrunt.hcl
 create mode 100644 tofu/environments/production/services/backend/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/services/backend/terragrunt.hcl
 create mode 100644 tofu/environments/production/services/frontend/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/services/frontend/terragrunt.hcl
 create mode 100644 tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
 create mode 100644 tofu/environments/production/terraform/tfbackend/terragrunt.hcl
 create mode 100644 tofu/environments/stage/services/backend/.terraform.lock.hcl
 create mode 100644 tofu/environments/stage/services/backend/terragrunt.hcl
 create mode 100644 tofu/modules/services/backend/main.tf
 create mode 100644 tofu/modules/services/backend/outputs.tf
 create mode 100644 tofu/modules/services/backend/variables.tf

diff --git a/tofu/environments/production/data-store/cache/.terraform.lock.hcl b/tofu/environments/production/data-store/cache/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/production/data-store/cache/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
new file mode 100644
index 000000000..38984b063
--- /dev/null
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -0,0 +1,51 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/data-store/cache"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                 = "mock_vpc_id"
+    subnets                = []
+    source_security_groups = []
+  }
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    security_group_id = "mock_sg_id"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  name_prefix            = local.name_prefix
+  vpc                    = dependency.vpc.outputs.vpc_id
+  subnets                = dependency.vpc.outputs.database_subnets
+  source_security_groups = [dependency.backend.outputs.security_group_id]
+  tags                   = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/data-store/database/.terraform.lock.hcl b/tofu/environments/production/data-store/database/.terraform.lock.hcl
new file mode 100644
index 000000000..520f9bfec
--- /dev/null
+++ b/tofu/environments/production/data-store/database/.terraform.lock.hcl
@@ -0,0 +1,38 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 5.36.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version     = "3.6.0"
+  constraints = ">= 3.1.0"
+  hashes = [
+    "h1:6QMZ6JACl+V2t8daN5GTlw22EtG7nhc3BbkbJDw2a5M=",
+    "zh:486a1c921eab5c51a480f2eb0ad85173f207c9b7bb215f3893e58bc38d3b7c75",
+    "zh:6901b3afa4607d1e31934ba91ed2625215ada42b3518c3a9adeeac7a5f656dc3",
+    "zh:7e93752c9de710e417191353ad1a41b5a60432ab7ef4f8b556bf248297ec5e23",
+    "zh:c795d3d319e8ee7be972746b935963b7e772a6a14080261a35c03915c1f9ccb2",
+    "zh:cd4f8bcaf332828d1736c73874549c25e427737f136173c7b61e2df3db50e5d9",
+    "zh:e0103eb2e280989c3d9ffda5d6b413e8f583be21bc1d5754c6e9ca87ecc1c44a",
+    "zh:f4fbec2510322d5b7ad584a92436b5dbd0f2e897a3ec538932af59e245a4c8e4",
+    "zh:f5418842afd4aa7676e2456e425e8f573cb2b9bffd29bd7de09d91845644ab24",
+    "zh:f572a26f93d00ec42461ce478678366e570fa4497e2273f9d47f24cdfc4b42b4",
+    "zh:ff1f07c561a3f7f219b6fee1647a559933b5dd6181753e164c3978fd47a11685",
+  ]
+}
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
new file mode 100644
index 000000000..17e31130f
--- /dev/null
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -0,0 +1,63 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/data-store/database"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                 = "mock_vpc_id"
+    subnets                = []
+    source_security_groups = []
+  }
+}
+
+dependency "cache" {
+  config_path = "../cache"
+
+  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs = {
+    security_group_id = "mock_sg_id"
+  }
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    security_group_id = "sg-mocksecuritygroup"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment                = local.environment
+  name_prefix                = local.name_prefix
+  region                     = local.region
+  vpc                        = dependency.vpc.outputs.vpc_id
+  subnet_group               = dependency.vpc.outputs.database_subnet_group
+  elasticache_security_group = dependency.cache.outputs.security_group_id
+  backend_security_group     = dependency.backend.outputs.security_group_id
+  tags                       = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/environment.hcl b/tofu/environments/production/environment.hcl
new file mode 100644
index 000000000..6aa839efa
--- /dev/null
+++ b/tofu/environments/production/environment.hcl
@@ -0,0 +1,10 @@
+locals {
+  environment_vars = yamldecode(file("environment_vars.yaml"))
+
+  environment = local.environment_vars.environment
+  region      = local.environment_vars.region
+
+  tags = {
+    environment = local.environment
+  }
+}
\ No newline at end of file
diff --git a/tofu/environments/production/environment_vars.yaml b/tofu/environments/production/environment_vars.yaml
new file mode 100644
index 000000000..e415a0ef9
--- /dev/null
+++ b/tofu/environments/production/environment_vars.yaml
@@ -0,0 +1,4 @@
+---
+environment: production
+region: us-east-1
+...
\ No newline at end of file
diff --git a/tofu/environments/production/network/vpc/.terraform.lock.hcl b/tofu/environments/production/network/vpc/.terraform.lock.hcl
new file mode 100644
index 000000000..c8048244a
--- /dev/null
+++ b/tofu/environments/production/network/vpc/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 4.0.0, >= 5.30.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/network/vpc/terragrunt.hcl b/tofu/environments/production/network/vpc/terragrunt.hcl
new file mode 100644
index 000000000..edae031a7
--- /dev/null
+++ b/tofu/environments/production/network/vpc/terragrunt.hcl
@@ -0,0 +1,31 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/network/vpc"
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment = local.environment
+  name_prefix = local.name_prefix
+  region      = local.region
+  vpc_cidr    = "10.0.0.0/16"
+  tags        = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/services/backend/.terraform.lock.hcl b/tofu/environments/production/services/backend/.terraform.lock.hcl
new file mode 100644
index 000000000..16bf2d314
--- /dev/null
+++ b/tofu/environments/production/services/backend/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 4.66.1, >= 5.33.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/services/backend/terragrunt.hcl b/tofu/environments/production/services/backend/terragrunt.hcl
new file mode 100644
index 000000000..15a0c4d04
--- /dev/null
+++ b/tofu/environments/production/services/backend/terragrunt.hcl
@@ -0,0 +1,50 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/backend"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                          = "mock_vpc_id"
+    subnets                         = []
+    ecr_endpoint_security_group     = "mock_sg"
+    secrets_endpoint_security_group = "mock_sg"
+    logs_endpoint_security_group    = "mock_sg"
+    database_subnet_cidrs           = ["10.0.1.0/24", "10.0.2.0/24"]
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment                     = local.environment
+  name_prefix                     = local.name_prefix
+  region                          = local.region
+  vpc                             = dependency.vpc.outputs.vpc_id
+  subnets                         = dependency.vpc.outputs.private_subnets
+  ecr_endpoint_security_group     = dependency.vpc.outputs.ecr_endpoint_security_group
+  secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
+  logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
+  database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
+  tags                            = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/production/services/frontend/.terraform.lock.hcl b/tofu/environments/production/services/frontend/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/production/services/frontend/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
new file mode 100644
index 000000000..275e71ba4
--- /dev/null
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -0,0 +1,46 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/frontend"
+}
+
+dependency "backend" {
+  config_path = "../../services/backend"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    id       = "mock_alb_id"
+    dns_name = "mock_dns_name"
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+
+
+  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4"
+}
+
+inputs = {
+  environment      = local.environment
+  name_prefix      = local.name_prefix
+  region           = local.region
+  tags             = local.tags
+  ssl_cert         = local.ssl_cert
+  backend_id       = dependency.backend.outputs.id
+  backend_dns_name = dependency.backend.outputs.dns_name
+}
\ No newline at end of file
diff --git a/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl b/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
new file mode 100644
index 000000000..b88b3b5eb
--- /dev/null
+++ b/tofu/environments/production/terraform/tfbackend/.terraform.lock.hcl
@@ -0,0 +1,19 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version = "5.41.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/production/terraform/tfbackend/terragrunt.hcl b/tofu/environments/production/terraform/tfbackend/terragrunt.hcl
new file mode 100644
index 000000000..74efdd318
--- /dev/null
+++ b/tofu/environments/production/terraform/tfbackend/terragrunt.hcl
@@ -0,0 +1,28 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/terraform/tfbackend"
+}
+
+locals {
+  bucket_name = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-state"
+  table_name  = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}-locks"
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  bucket_name = local.bucket_name
+  table_name  = local.table_name
+  tags        = local.tags
+}
\ No newline at end of file
diff --git a/tofu/environments/stage/services/backend/.terraform.lock.hcl b/tofu/environments/stage/services/backend/.terraform.lock.hcl
new file mode 100644
index 000000000..16bf2d314
--- /dev/null
+++ b/tofu/environments/stage/services/backend/.terraform.lock.hcl
@@ -0,0 +1,20 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.41.0"
+  constraints = ">= 4.66.1, >= 5.33.0"
+  hashes = [
+    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
+    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
+    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
+    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
+    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
+    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
+    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
+    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
+    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
+    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
+    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
+  ]
+}
diff --git a/tofu/environments/stage/services/backend/terragrunt.hcl b/tofu/environments/stage/services/backend/terragrunt.hcl
new file mode 100644
index 000000000..15a0c4d04
--- /dev/null
+++ b/tofu/environments/stage/services/backend/terragrunt.hcl
@@ -0,0 +1,50 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "environment" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/backend"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs = {
+    vpc_id                          = "mock_vpc_id"
+    subnets                         = []
+    ecr_endpoint_security_group     = "mock_sg"
+    secrets_endpoint_security_group = "mock_sg"
+    logs_endpoint_security_group    = "mock_sg"
+    database_subnet_cidrs           = ["10.0.1.0/24", "10.0.2.0/24"]
+  }
+}
+
+locals {
+  environment = include.environment.locals.environment
+  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
+  region      = include.environment.locals.region
+
+  project_tags     = include.root.locals.tags
+  environment_tags = include.environment.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  environment                     = local.environment
+  name_prefix                     = local.name_prefix
+  region                          = local.region
+  vpc                             = dependency.vpc.outputs.vpc_id
+  subnets                         = dependency.vpc.outputs.private_subnets
+  ecr_endpoint_security_group     = dependency.vpc.outputs.ecr_endpoint_security_group
+  secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
+  logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
+  database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
+  tags                            = local.tags
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/main.tf b/tofu/modules/services/backend/main.tf
new file mode 100644
index 000000000..0c8de7f96
--- /dev/null
+++ b/tofu/modules/services/backend/main.tf
@@ -0,0 +1,206 @@
+data "aws_ec2_managed_prefix_list" "cloudfront" {
+  name = "com.amazonaws.global.cloudfront.origin-facing"
+}
+
+data "aws_region" "current" {}
+
+data "aws_prefix_list" "s3" {
+  name = "com.amazonaws.${data.aws_region.current.name}.s3"
+}
+
+locals {
+  target_group_key = "${var.name_prefix}-ecs-backend"
+}
+
+module "ecs_cluster" {
+  source = "github.com/terraform-aws-modules/terraform-aws-ecs/modules/cluster"
+
+  cluster_name = var.name_prefix
+
+  # Capacity provider
+  fargate_capacity_providers = {
+    FARGATE = {
+      default_capacity_provider_strategy = {
+        weight = 100
+      }
+    }
+  }
+  tags = var.tags
+}
+
+/*resource "aws_ecs_service" "backend_service" {
+  name    = "${var.name_prefix}-backend"
+  cluster = module.ecs_cluster.id
+
+  launch_type = "FARGATE"
+
+  load_balancer {
+    target_group_arn = module.backend_alb.target_groups["${local.target_group_key}"].arn
+    container_name   = "backend"
+    container_port   = 5000
+  }
+
+  network_configuration {
+    security_groups = [aws_security_group.backend.id]
+    subnets         = var.subnets
+  }
+
+  #task_definition = "arn:aws:ecs:${var.region}:768512802988:task-definition/${var.name_prefix}-backend"
+  desired_count   = 1
+  tags            = var.tags
+}*/
+
+module "backend_alb" {
+  source  = "terraform-aws-modules/alb/aws"
+  version = "~> 9.0"
+
+  name                = "${var.name_prefix}-backend"
+  security_group_name = "${var.name_prefix}-backend-alb"
+
+  load_balancer_type = "application"
+
+  vpc_id  = var.vpc
+  subnets = var.subnets
+
+  enable_deletion_protection = false #var.environment != "sandbox" ? true : false
+
+  security_group_ingress_rules = {
+    inbound = {
+      from_port                    = 5000
+      to_port                      = 5000
+      ip_protocol                  = "tcp"
+      prefix_list_id = data.aws_ec2_managed_prefix_list.cloudfront.id
+    }
+  }
+
+  security_group_egress_rules = {
+    outbound = {
+      from_port                    = 5000
+      to_port                      = 5000
+      ip_protocol                  = "tcp"
+      referenced_security_group_id = aws_security_group.backend.id
+    }
+  }
+
+  listeners = {
+    http = {
+      port     = 5000
+      protocol = "HTTP"
+
+      forward = {
+        target_group_key = local.target_group_key
+      }
+      rules = {
+        custom-header = {
+          actions = [{
+            type             = "forward"
+            target_group_key = local.target_group_key 
+          }]
+          conditions = [{
+            http_header = {
+              http_header_name = "X-Allow"
+              values           = ["test"]
+            }
+          }]
+        }
+      }
+    }
+  }
+
+  target_groups = {
+    "${local.target_group_key}" = {
+      name                              = "${var.name_prefix}-ecs-backend"
+      protocol                          = "HTTP"
+      port                              = 5000
+      target_type                       = "ip"
+      deregistration_delay              = 5
+      load_balancing_cross_zone_enabled = true
+
+      health_check = {
+        enabled             = true
+        healthy_threshold   = 5
+        interval            = 30
+        matcher             = "200"
+        path                = "/api/v1"
+        port                = "traffic-port"
+        protocol            = "HTTP"
+        timeout             = 5
+        unhealthy_threshold = 2
+      }
+
+      # There's nothing to attach here in this definition. Instead,
+      # ECS will attach the IPs of the tasks to this target group
+      create_attachment = false
+    }
+  }
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-backend-alb"
+  })
+  security_group_tags = {
+    Name = "${var.name_prefix}-backend-alb"
+  }
+}
+
+resource "aws_security_group" "backend" {
+  name        = "${var.name_prefix}-backend"
+  description = "Appointment backend traffic"
+  vpc_id      = var.vpc
+  tags = merge(var.tags, {
+    Name = "${var.name_prefix}-backend"
+  })
+}
+
+resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_backend_alb" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "5000 from ALB"
+  from_port                    = 5000
+  to_port                      = 5000
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = module.backend_alb.security_group_id
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_mysql_to_DB_subnets" {
+  for_each = toset(var.database_subnet_cidrs)
+  security_group_id            = aws_security_group.backend.id
+  description                  = "mysql to DB"
+  from_port                    = 3306
+  to_port                      = 3306
+  ip_protocol                  = "tcp"
+  cidr_ipv4 = each.value
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_ecr_endpoints" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "TLS to ECR endpoints"
+  from_port                    = 443
+  to_port                      = 443
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.ecr_endpoint_security_group
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_logs_endpoint" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "TLS to logs endpoint"
+  from_port                    = 443
+  to_port                      = 443
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.logs_endpoint_security_group
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_secrets_endpoint" {
+  security_group_id            = aws_security_group.backend.id
+  description                  = "TLS to secrets endpoint"
+  from_port                    = 443
+  to_port                      = 443
+  ip_protocol                  = "tcp"
+  referenced_security_group_id = var.secrets_endpoint_security_group
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_tls_to_s3_endpoint" {
+  security_group_id = aws_security_group.backend.id
+  description       = "TLS to S3 endpoint"
+  from_port         = 443
+  to_port           = 443
+  ip_protocol       = "tcp"
+  prefix_list_id    = data.aws_prefix_list.s3.id
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/outputs.tf b/tofu/modules/services/backend/outputs.tf
new file mode 100644
index 000000000..031f8a182
--- /dev/null
+++ b/tofu/modules/services/backend/outputs.tf
@@ -0,0 +1,11 @@
+output "id" {
+  value = module.backend_alb.id
+}
+
+output "dns_name" {
+  value = module.backend_alb.dns_name
+}
+
+output "security_group_id" {
+  value = aws_security_group.backend.id
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/variables.tf b/tofu/modules/services/backend/variables.tf
new file mode 100644
index 000000000..01f678582
--- /dev/null
+++ b/tofu/modules/services/backend/variables.tf
@@ -0,0 +1,49 @@
+variable "environment" {
+  description = "Application environment ie. staging, production, etc..."
+  type        = string
+}
+
+variable "name_prefix" {
+  description = "Prefix to be used with all resource names"
+  type        = string
+}
+
+variable "region" {
+  description = "Deployment region"
+  type        = string
+}
+
+variable "tags" {
+  description = "Common tags"
+  type        = map(string)
+}
+
+variable "vpc" {
+  description = "VPC ID"
+  type        = string
+}
+
+variable "subnets" {
+  description = "Backend subnets"
+  type        = list(any)
+}
+
+variable "ecr_endpoint_security_group" {
+  description = "ECR API & DKS VPC endpoint security group"
+  type        = string
+}
+
+variable "secrets_endpoint_security_group" {
+  description = "Secrets Manager VPC endpoint security group"
+  type        = string
+}
+
+variable "logs_endpoint_security_group" {
+  description = "Cloudwatch logs VPC endpoint security group"
+  type        = string
+}
+
+variable "database_subnet_cidrs" {
+  description = "Database subnet CIDRs"
+  type        = list
+}
\ No newline at end of file

From ccd623243b7fdc555d31247ca5be560a78e81bab Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:11:01 -0400
Subject: [PATCH 266/298] add backend service

---
 .../data-store/cache/terragrunt.hcl           |   4 +-
 .../data-store/database/terragrunt.hcl        |   2 +-
 .../.terraform.lock.hcl                       |   0
 .../{backend => backend-infra}/terragrunt.hcl |   2 +-
 .../services/frontend/terragrunt.hcl          |   2 +-
 .../services/backend/.terraform.lock.hcl      |  20 --
 .../stage/services/backend/terragrunt.hcl     |  50 -----
 tofu/modules/services/backend/main.tf         | 206 ------------------
 tofu/modules/services/backend/outputs.tf      |  11 -
 tofu/modules/services/backend/variables.tf    |  49 -----
 10 files changed, 5 insertions(+), 341 deletions(-)
 rename tofu/environments/production/services/{backend => backend-infra}/.terraform.lock.hcl (100%)
 rename tofu/environments/production/services/{backend => backend-infra}/terragrunt.hcl (96%)
 delete mode 100644 tofu/environments/stage/services/backend/.terraform.lock.hcl
 delete mode 100644 tofu/environments/stage/services/backend/terragrunt.hcl
 delete mode 100644 tofu/modules/services/backend/main.tf
 delete mode 100644 tofu/modules/services/backend/outputs.tf
 delete mode 100644 tofu/modules/services/backend/variables.tf

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index 38984b063..a5221540a 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -24,9 +24,9 @@ dependency "vpc" {
 }
 
 dependency "backend" {
-  config_path = "../../services/backend"
+  config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index 17e31130f..082ef325d 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -35,7 +35,7 @@ dependency "cache" {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }
diff --git a/tofu/environments/production/services/backend/.terraform.lock.hcl b/tofu/environments/production/services/backend-infra/.terraform.lock.hcl
similarity index 100%
rename from tofu/environments/production/services/backend/.terraform.lock.hcl
rename to tofu/environments/production/services/backend-infra/.terraform.lock.hcl
diff --git a/tofu/environments/production/services/backend/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
similarity index 96%
rename from tofu/environments/production/services/backend/terragrunt.hcl
rename to tofu/environments/production/services/backend-infra/terragrunt.hcl
index 15a0c4d04..4e84c4c63 100644
--- a/tofu/environments/production/services/backend/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -9,7 +9,7 @@ include "environment" {
 }
 
 terraform {
-  source = "../../../../modules/services/backend"
+  source = "../../../../modules/services/backend-infra"
 }
 
 dependency "vpc" {
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index 275e71ba4..d90141733 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["validate","destroy"]
   mock_outputs = {
     id       = "mock_alb_id"
     dns_name = "mock_dns_name"
diff --git a/tofu/environments/stage/services/backend/.terraform.lock.hcl b/tofu/environments/stage/services/backend/.terraform.lock.hcl
deleted file mode 100644
index 16bf2d314..000000000
--- a/tofu/environments/stage/services/backend/.terraform.lock.hcl
+++ /dev/null
@@ -1,20 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.41.0"
-  constraints = ">= 4.66.1, >= 5.33.0"
-  hashes = [
-    "h1:Fx+3haIzgp5zo3zVxJDMpTUQcZ8z0g8eQLFud0hA0xc=",
-    "zh:28fda8bbfe6bdba53aa8a7ce1005e7d686bce1d604c6e0b58e32735162afc667",
-    "zh:3961d01ce92bc6fcb1cc0e267d6fc4270adf010d93e7890460c566b2f5761670",
-    "zh:85cf587abfdf6f306dc593232abb91cf5090296decaf6e84669dd92662f2f856",
-    "zh:9f9d2e81f493c0daba943211c8146100d4a90f7f09fd831f4e8dde2c5f8ab34a",
-    "zh:c7444bd54437f4e044dbe71353a5fc54fae5b96673c80ec42f3823e8890c5cd3",
-    "zh:d041d2a83a80a2be85297cff467ef3c0ae2887789f88197bda190e6d2b64399e",
-    "zh:db02a4756318595de2d72cad69c25bd29b61940ad3c91ddf06c32437170f9d56",
-    "zh:dd90187b8382e28347ca08f4642a405edbb50c27c94405367f55f8fafd6b42ad",
-    "zh:e8c47d26c221d6975d9905b4ffd4dc713fbafb60db2e740b974da7ff5b500a86",
-    "zh:f222038c55866e5121d24290824f56c76afff2562bdd47624e42a44d1c7c2002",
-  ]
-}
diff --git a/tofu/environments/stage/services/backend/terragrunt.hcl b/tofu/environments/stage/services/backend/terragrunt.hcl
deleted file mode 100644
index 15a0c4d04..000000000
--- a/tofu/environments/stage/services/backend/terragrunt.hcl
+++ /dev/null
@@ -1,50 +0,0 @@
-include "root" {
-  path   = find_in_parent_folders()
-  expose = true
-}
-
-include "environment" {
-  path   = find_in_parent_folders("environment.hcl")
-  expose = true
-}
-
-terraform {
-  source = "../../../../modules/services/backend"
-}
-
-dependency "vpc" {
-  config_path = "../../network/vpc"
-
-  mock_outputs_allowed_terraform_commands = ["validate"]
-  mock_outputs = {
-    vpc_id                          = "mock_vpc_id"
-    subnets                         = []
-    ecr_endpoint_security_group     = "mock_sg"
-    secrets_endpoint_security_group = "mock_sg"
-    logs_endpoint_security_group    = "mock_sg"
-    database_subnet_cidrs           = ["10.0.1.0/24", "10.0.2.0/24"]
-  }
-}
-
-locals {
-  environment = include.environment.locals.environment
-  name_prefix = "tb-${include.root.locals.short_name}-${include.environment.locals.environment}"
-  region      = include.environment.locals.region
-
-  project_tags     = include.root.locals.tags
-  environment_tags = include.environment.locals.tags
-  tags             = "${merge(local.project_tags, local.environment_tags)}"
-}
-
-inputs = {
-  environment                     = local.environment
-  name_prefix                     = local.name_prefix
-  region                          = local.region
-  vpc                             = dependency.vpc.outputs.vpc_id
-  subnets                         = dependency.vpc.outputs.private_subnets
-  ecr_endpoint_security_group     = dependency.vpc.outputs.ecr_endpoint_security_group
-  secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
-  logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
-  database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
-  tags                            = local.tags
-}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/main.tf b/tofu/modules/services/backend/main.tf
deleted file mode 100644
index 0c8de7f96..000000000
--- a/tofu/modules/services/backend/main.tf
+++ /dev/null
@@ -1,206 +0,0 @@
-data "aws_ec2_managed_prefix_list" "cloudfront" {
-  name = "com.amazonaws.global.cloudfront.origin-facing"
-}
-
-data "aws_region" "current" {}
-
-data "aws_prefix_list" "s3" {
-  name = "com.amazonaws.${data.aws_region.current.name}.s3"
-}
-
-locals {
-  target_group_key = "${var.name_prefix}-ecs-backend"
-}
-
-module "ecs_cluster" {
-  source = "github.com/terraform-aws-modules/terraform-aws-ecs/modules/cluster"
-
-  cluster_name = var.name_prefix
-
-  # Capacity provider
-  fargate_capacity_providers = {
-    FARGATE = {
-      default_capacity_provider_strategy = {
-        weight = 100
-      }
-    }
-  }
-  tags = var.tags
-}
-
-/*resource "aws_ecs_service" "backend_service" {
-  name    = "${var.name_prefix}-backend"
-  cluster = module.ecs_cluster.id
-
-  launch_type = "FARGATE"
-
-  load_balancer {
-    target_group_arn = module.backend_alb.target_groups["${local.target_group_key}"].arn
-    container_name   = "backend"
-    container_port   = 5000
-  }
-
-  network_configuration {
-    security_groups = [aws_security_group.backend.id]
-    subnets         = var.subnets
-  }
-
-  #task_definition = "arn:aws:ecs:${var.region}:768512802988:task-definition/${var.name_prefix}-backend"
-  desired_count   = 1
-  tags            = var.tags
-}*/
-
-module "backend_alb" {
-  source  = "terraform-aws-modules/alb/aws"
-  version = "~> 9.0"
-
-  name                = "${var.name_prefix}-backend"
-  security_group_name = "${var.name_prefix}-backend-alb"
-
-  load_balancer_type = "application"
-
-  vpc_id  = var.vpc
-  subnets = var.subnets
-
-  enable_deletion_protection = false #var.environment != "sandbox" ? true : false
-
-  security_group_ingress_rules = {
-    inbound = {
-      from_port                    = 5000
-      to_port                      = 5000
-      ip_protocol                  = "tcp"
-      prefix_list_id = data.aws_ec2_managed_prefix_list.cloudfront.id
-    }
-  }
-
-  security_group_egress_rules = {
-    outbound = {
-      from_port                    = 5000
-      to_port                      = 5000
-      ip_protocol                  = "tcp"
-      referenced_security_group_id = aws_security_group.backend.id
-    }
-  }
-
-  listeners = {
-    http = {
-      port     = 5000
-      protocol = "HTTP"
-
-      forward = {
-        target_group_key = local.target_group_key
-      }
-      rules = {
-        custom-header = {
-          actions = [{
-            type             = "forward"
-            target_group_key = local.target_group_key 
-          }]
-          conditions = [{
-            http_header = {
-              http_header_name = "X-Allow"
-              values           = ["test"]
-            }
-          }]
-        }
-      }
-    }
-  }
-
-  target_groups = {
-    "${local.target_group_key}" = {
-      name                              = "${var.name_prefix}-ecs-backend"
-      protocol                          = "HTTP"
-      port                              = 5000
-      target_type                       = "ip"
-      deregistration_delay              = 5
-      load_balancing_cross_zone_enabled = true
-
-      health_check = {
-        enabled             = true
-        healthy_threshold   = 5
-        interval            = 30
-        matcher             = "200"
-        path                = "/api/v1"
-        port                = "traffic-port"
-        protocol            = "HTTP"
-        timeout             = 5
-        unhealthy_threshold = 2
-      }
-
-      # There's nothing to attach here in this definition. Instead,
-      # ECS will attach the IPs of the tasks to this target group
-      create_attachment = false
-    }
-  }
-  tags = merge(var.tags, {
-    Name = "${var.name_prefix}-backend-alb"
-  })
-  security_group_tags = {
-    Name = "${var.name_prefix}-backend-alb"
-  }
-}
-
-resource "aws_security_group" "backend" {
-  name        = "${var.name_prefix}-backend"
-  description = "Appointment backend traffic"
-  vpc_id      = var.vpc
-  tags = merge(var.tags, {
-    Name = "${var.name_prefix}-backend"
-  })
-}
-
-resource "aws_vpc_security_group_ingress_rule" "allow_5000_from_backend_alb" {
-  security_group_id            = aws_security_group.backend.id
-  description                  = "5000 from ALB"
-  from_port                    = 5000
-  to_port                      = 5000
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = module.backend_alb.security_group_id
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_mysql_to_DB_subnets" {
-  for_each = toset(var.database_subnet_cidrs)
-  security_group_id            = aws_security_group.backend.id
-  description                  = "mysql to DB"
-  from_port                    = 3306
-  to_port                      = 3306
-  ip_protocol                  = "tcp"
-  cidr_ipv4 = each.value
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_to_ecr_endpoints" {
-  security_group_id            = aws_security_group.backend.id
-  description                  = "TLS to ECR endpoints"
-  from_port                    = 443
-  to_port                      = 443
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = var.ecr_endpoint_security_group
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_to_logs_endpoint" {
-  security_group_id            = aws_security_group.backend.id
-  description                  = "TLS to logs endpoint"
-  from_port                    = 443
-  to_port                      = 443
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = var.logs_endpoint_security_group
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_to_secrets_endpoint" {
-  security_group_id            = aws_security_group.backend.id
-  description                  = "TLS to secrets endpoint"
-  from_port                    = 443
-  to_port                      = 443
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = var.secrets_endpoint_security_group
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_tls_to_s3_endpoint" {
-  security_group_id = aws_security_group.backend.id
-  description       = "TLS to S3 endpoint"
-  from_port         = 443
-  to_port           = 443
-  ip_protocol       = "tcp"
-  prefix_list_id    = data.aws_prefix_list.s3.id
-}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/outputs.tf b/tofu/modules/services/backend/outputs.tf
deleted file mode 100644
index 031f8a182..000000000
--- a/tofu/modules/services/backend/outputs.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-output "id" {
-  value = module.backend_alb.id
-}
-
-output "dns_name" {
-  value = module.backend_alb.dns_name
-}
-
-output "security_group_id" {
-  value = aws_security_group.backend.id
-}
\ No newline at end of file
diff --git a/tofu/modules/services/backend/variables.tf b/tofu/modules/services/backend/variables.tf
deleted file mode 100644
index 01f678582..000000000
--- a/tofu/modules/services/backend/variables.tf
+++ /dev/null
@@ -1,49 +0,0 @@
-variable "environment" {
-  description = "Application environment ie. staging, production, etc..."
-  type        = string
-}
-
-variable "name_prefix" {
-  description = "Prefix to be used with all resource names"
-  type        = string
-}
-
-variable "region" {
-  description = "Deployment region"
-  type        = string
-}
-
-variable "tags" {
-  description = "Common tags"
-  type        = map(string)
-}
-
-variable "vpc" {
-  description = "VPC ID"
-  type        = string
-}
-
-variable "subnets" {
-  description = "Backend subnets"
-  type        = list(any)
-}
-
-variable "ecr_endpoint_security_group" {
-  description = "ECR API & DKS VPC endpoint security group"
-  type        = string
-}
-
-variable "secrets_endpoint_security_group" {
-  description = "Secrets Manager VPC endpoint security group"
-  type        = string
-}
-
-variable "logs_endpoint_security_group" {
-  description = "Cloudwatch logs VPC endpoint security group"
-  type        = string
-}
-
-variable "database_subnet_cidrs" {
-  description = "Database subnet CIDRs"
-  type        = list
-}
\ No newline at end of file

From f4a4c5f1dfeed579bfbcdd9e56dfd2c177300412 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 10:11:55 -0400
Subject: [PATCH 267/298] initial iac validation code

---
 .github/workflows/deploy.yaml       |  0
 .github/workflows/iac_plan.yaml     |  0
 .github/workflows/iac_validate.yaml | 26 ++++++++++++++++++++++++++
 .github/workflows/main.yaml         |  0
 4 files changed, 26 insertions(+)
 create mode 100644 .github/workflows/deploy.yaml
 create mode 100644 .github/workflows/iac_plan.yaml
 create mode 100644 .github/workflows/iac_validate.yaml
 create mode 100644 .github/workflows/main.yaml

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
new file mode 100644
index 000000000..e69de29bb
diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
new file mode 100644
index 000000000..e69de29bb
diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
new file mode 100644
index 000000000..49acd0991
--- /dev/null
+++ b/.github/workflows/iac_validate.yaml
@@ -0,0 +1,26 @@
+name: validate-iac
+on: 
+  push:
+  workflow_call:
+env:
+  tf_version: '1.6.2'
+  tg_version: '0.55.15'
+  environment: 'stage'
+
+jobs:
+  validate-iac:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: opentofu/setup-opentofu@v1
+        with: 
+          tofu_version: ${{ env.tf_version }}
+      - run: |
+          git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
+          sudo ln -s ~/.tgenv/bin* /usr/local/bin
+          tgenv install ${{ env.tg_version }}
+      - run: |
+          cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
+          terragrun init
+          terragrunt validate
+
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
new file mode 100644
index 000000000..e69de29bb

From 56d1dddda768ff44bcb5fae5aefa3713fad8ca00 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 26 Mar 2024 15:31:03 -0400
Subject: [PATCH 268/298] fixed formatting

---
 .../production/services/frontend/terragrunt.hcl             | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index d90141733..fc2a1f092 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,9 +15,9 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate","destroy"]
+  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
   mock_outputs = {
-    id       = "mock_alb_id"
+    alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"
   }
 }
@@ -41,6 +41,6 @@ inputs = {
   region           = local.region
   tags             = local.tags
   ssl_cert         = local.ssl_cert
-  backend_id       = dependency.backend.outputs.id
+  backend_id       = dependency.backend.outputs.alb_id
   backend_dns_name = dependency.backend.outputs.dns_name
 }
\ No newline at end of file

From bf07d9850adc076eaae8388c92d179dac768ed9f Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:33:17 -0400
Subject: [PATCH 269/298] corrected backedn-infra dependency issue

---
 .../production/services/backend-infra/terragrunt.hcl            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index 4e84c4c63..747712f1e 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []

From 33c7790c4ed92f898df159478561bd2911ac981d Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 10:42:53 -0400
Subject: [PATCH 270/298] dependency issue in backend-infra

---
 .../production/services/backend-infra/terragrunt.hcl             | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index 747712f1e..b67cfe467 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -19,6 +19,7 @@ dependency "vpc" {
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []
+    private_subnets                 = []
     ecr_endpoint_security_group     = "mock_sg"
     secrets_endpoint_security_group = "mock_sg"
     logs_endpoint_security_group    = "mock_sg"

From 9c2745d230b33b26d85f1e4d63b5cce4c4d06115 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 11:39:29 -0400
Subject: [PATCH 271/298] added init support for dependency mock outputs

---
 .../environments/production/data-store/cache/terragrunt.hcl | 4 ++--
 .../production/data-store/database/terragrunt.hcl           | 6 +++---
 .../production/services/backend-infra/terragrunt.hcl        | 2 +-
 .../production/services/frontend/terragrunt.hcl             | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index a5221540a..88846d68a 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
     subnets                = []
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index 082ef325d..35355f36d 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
     subnets                = []
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "cache" {
   config_path = "../cache"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "plan"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }
@@ -35,7 +35,7 @@ dependency "cache" {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }
diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index b67cfe467..5ed033407 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                          = "mock_vpc_id"
     subnets                         = []
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index fc2a1f092..71af8f1bb 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"

From d7b3659432ca8bb41fbd078c997f15fc9374d7aa Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 12:40:46 -0400
Subject: [PATCH 272/298] further dependency correction

---
 .../production/data-store/cache/terragrunt.hcl             | 2 +-
 .../production/data-store/database/terragrunt.hcl          | 7 +++----
 .../production/services/frontend/terragrunt.hcl            | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index 88846d68a..d843fc7aa 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -18,7 +18,7 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
-    subnets                = []
+    database_subnets       = []
     source_security_groups = []
   }
 }
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index 35355f36d..fc1f652ce 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -17,9 +17,8 @@ dependency "vpc" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate"]
   mock_outputs = {
-    vpc_id                 = "mock_vpc_id"
-    subnets                = []
-    source_security_groups = []
+    vpc_id                = "mock_vpc_id"
+    database_subnet_group = "mock_subnet_group"
   }
 }
 
@@ -33,7 +32,7 @@ dependency "cache" {
 }
 
 dependency "backend" {
-  config_path = "../../services/backend"
+  config_path = "../../services/backend-infra"
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
   mock_outputs = {
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index 71af8f1bb..39a5eb29a 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "backend" {
   config_path = "../../services/backend"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"

From fffb2396d26a8952942a85499e57f8fdec54039b Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 12:58:28 -0400
Subject: [PATCH 273/298] further dependency resolution

---
 tofu/environments/production/data-store/cache/terragrunt.hcl  | 2 +-
 .../production/data-store/database/terragrunt.hcl             | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index d843fc7aa..941d328cf 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
     database_subnets       = []
diff --git a/tofu/environments/production/data-store/database/terragrunt.hcl b/tofu/environments/production/data-store/database/terragrunt.hcl
index fc1f652ce..6a8a0a46a 100644
--- a/tofu/environments/production/data-store/database/terragrunt.hcl
+++ b/tofu/environments/production/data-store/database/terragrunt.hcl
@@ -15,7 +15,7 @@ terraform {
 dependency "vpc" {
   config_path = "../../network/vpc"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                = "mock_vpc_id"
     database_subnet_group = "mock_subnet_group"
@@ -34,7 +34,7 @@ dependency "cache" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     security_group_id = "sg-mocksecuritygroup"
   }

From bfdbbd7f0a554fb6a5190ebaa2ac142ec7de385c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 28 Mar 2024 13:04:34 -0400
Subject: [PATCH 274/298] further dependency resolution

---
 tofu/environments/production/data-store/cache/terragrunt.hcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/environments/production/data-store/cache/terragrunt.hcl b/tofu/environments/production/data-store/cache/terragrunt.hcl
index 941d328cf..9b6781d48 100644
--- a/tofu/environments/production/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/production/data-store/cache/terragrunt.hcl
@@ -26,7 +26,7 @@ dependency "vpc" {
 dependency "backend" {
   config_path = "../../services/backend-infra"
 
-  mock_outputs_allowed_terraform_commands = ["init", "validate", "destroy"]
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
     security_group_id = "mock_sg_id"
   }

From 5b57fd0e136cfcf29317a2be16e1f85a51428004 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 08:48:13 -0400
Subject: [PATCH 275/298] added backend-service verify

---
 .github/workflows/deploy-backend.yaml  | 87 ++++++++++++++++++++++++
 .github/workflows/deploy-frontend.yaml |  0
 .github/workflows/primary.yaml         | 94 ++++++++++++++++++++++++++
 .github/workflows/verify-backend.yaml  | 87 ++++++++++++++++++++++++
 4 files changed, 268 insertions(+)
 create mode 100644 .github/workflows/deploy-backend.yaml
 create mode 100644 .github/workflows/deploy-frontend.yaml
 create mode 100644 .github/workflows/primary.yaml
 create mode 100644 .github/workflows/verify-backend.yaml

diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
new file mode 100644
index 000000000..38e93d2dc
--- /dev/null
+++ b/.github/workflows/deploy-backend.yaml
@@ -0,0 +1,87 @@
+name: Deploy Backend
+
+# Stop any pending jobs
+concurrency:
+  group: backend
+  cancel-in-progress: true
+
+on:
+  workflow_call:
+    inputs:
+      tf_version:
+        required: true
+        type: string
+      tg_version:
+        required: true
+        type: string
+      aws_region:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+
+env:
+  AWS_REGION: us-east-1
+  ECR_REPOSITORY: appointments
+  ECS_SERVICE: appointments-service
+  ECS_CLUSTER: appointments
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy-backend:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{secrets.IAM_ROLE}}
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{inputs.aws_region}}
+
+    - name: install opentofu
+      uses: opentofu/setup-opentofu@v1
+      with: 
+        tofu_version: ${{inputs.tf_version}}
+        tofu_wrapper: false
+
+    - name: install terragrunt
+      run: |
+        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
+        sudo chmod +x /bin/terragrunt
+        terragrunt -v
+
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+      with:
+        mask-password: 'true'
+
+    - name: Build, tag, and push backend image to Amazon ECR
+      id: build-backend
+      env:
+        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        IMAGE_TAG: backend-${{ github.sha }}
+      run: |
+        # Build a docker container and
+        # push it to ECR so that it can
+        # be deployed to ECS.
+        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+    - name: backend-service
+      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
+      run: |
+        terragrunt init
+        terragrunt validate
+        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}'
+        terragrunt apply tfplan
+
diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
new file mode 100644
index 000000000..e69de29bb
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
new file mode 100644
index 000000000..9e02ecbdf
--- /dev/null
+++ b/.github/workflows/primary.yaml
@@ -0,0 +1,94 @@
+name: Primary Workflow
+
+concurrency:
+  group: iac
+  cancel-in-progress: true
+
+on:
+  push:
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  TF_VERSION: '1.6.2'
+  TG_VERSION: '0.55.15'
+  AWS_REGION: us-east-1
+
+jobs:
+  detect-changes:
+    runs-on: ubuntu-latest
+    outputs:
+      run-iac: ${{ steps.check.outputs.run-iac }}
+      run-backend: ${{ steps.check.outputs.run-backend }}
+      run-frontend: ${{ steps.check.outputs.run-frontend }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dorny/paths-filter@v3
+        id: check
+        with:
+          filters: |
+            run-iac:
+              - 'tofu/**'
+              - '.github/workflows/**'
+            run-backend:
+              - 'backend/**'
+            run-frontend:
+              - 'frontend/**'
+
+  verify-iac:
+    needs: detect-changes
+    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    strategy:
+      max-parallel: 1
+      matrix:
+        environment: [stage, production]
+    uses: ./.github/workflows/verify-iac.yaml
+    with:
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
+      environment: ${{ matrix.environment }}
+    secrets: inherit
+
+  apply-iac:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    strategy:
+      max-parallel: 1
+      matrix:
+        environment: [stage]
+    uses: ./.github/workflows/apply-iac.yaml
+    with:
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
+      environment: ${{ matrix.environment }}
+    secrets: inherit
+
+  ci-tests:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
+    uses: ./.github/workflows/ci-tests.yaml
+
+  deploy-backend:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
+    strategy:
+      max-parallel: 1
+      matrix:
+        environment: [stage]
+    uses: ./.github/workflows/deploy-backend.yaml
+    with:
+      tf_version: 1.6.2
+      tg_version: 0.55.15
+      aws_region: us-east-1
+      environment: ${{ matrix.environment }}
+    secrets: inherit
+
+  deploy-frontend:
+    needs: detect-changes
+    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
+    uses: ./.github/workflows/deploy-frontend.yaml
\ No newline at end of file
diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
new file mode 100644
index 000000000..00e8a6cf3
--- /dev/null
+++ b/.github/workflows/verify-backend.yaml
@@ -0,0 +1,87 @@
+name: Deploy Backend
+
+# Stop any pending jobs
+concurrency:
+  group: backend
+  cancel-in-progress: true
+
+on:
+  workflow_call:
+    inputs:
+      tf_version:
+        required: true
+        type: string
+      tg_version:
+        required: true
+        type: string
+      aws_region:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+
+env:
+  AWS_REGION: us-east-1
+  ECR_REPOSITORY: appointments
+  ECS_SERVICE: appointments-service
+  ECS_CLUSTER: appointments
+  IMAGE: dummyimagename
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy-backend:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{secrets.IAM_ROLE}}
+        role-session-name: GitHub_to_AWS_via_FederatedOIDC
+        aws-region: ${{inputs.aws_region}}
+
+    - name: install opentofu
+      uses: opentofu/setup-opentofu@v1
+      with: 
+        tofu_version: ${{inputs.tf_version}}
+        tofu_wrapper: false
+
+    - name: install terragrunt
+      run: |
+        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
+        sudo chmod +x /bin/terragrunt
+        terragrunt -v
+
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+      with:
+        mask-password: 'true'
+
+    - name: Build, tag, and push backend image to Amazon ECR
+      id: build-backend
+      env:
+        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+        IMAGE_TAG: backend-${{ github.sha }}
+      run: |
+        # Build a docker container and
+        # push it to ECR so that it can
+        # be deployed to ECS.
+        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
+        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+    - name: backend-service
+      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
+      run: |
+        terragrunt init
+        terragrunt validate
+        terragrunt plan -var 'image=$IMAGE'
+

From 8df81acf6c09895a611ab83767f6d3138f3e9877 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 1 Apr 2024 08:50:58 -0400
Subject: [PATCH 276/298] testing primary action

---
 .github/workflows/primary.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 9e02ecbdf..038e8b1ed 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -88,7 +88,3 @@ jobs:
       environment: ${{ matrix.environment }}
     secrets: inherit
 
-  deploy-frontend:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-frontend == 'true'
-    uses: ./.github/workflows/deploy-frontend.yaml
\ No newline at end of file

From 8719c1355c9a4c669074c327a0daea19044db655 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 13:37:28 -0400
Subject: [PATCH 277/298] backend troubleshooting

---
 tofu/environments/production/services/frontend/terragrunt.hcl | 2 +-
 tofu/modules/services/backend-infra/main.tf                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index 39a5eb29a..a3eceb96e 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -32,7 +32,7 @@ locals {
   tags             = "${merge(local.project_tags, local.environment_tags)}"
 
 
-  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/b826074c-ed59-454f-a3e6-8c3a7e2be1f4"
+  ssl_cert = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
 }
 
 inputs = {
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index ba46170ba..c45052ba5 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -156,7 +156,7 @@ module "backend_alb" {
         matcher             = "200"
         path                = "/"
         port                = "traffic-port"
-        protocol            = "HTTP"
+        protocol            = "HTTPS"
         timeout             = 5
         unhealthy_threshold = 2
       }

From a7092656d17744483d78e85a09443de4bbd41e75 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Thu, 4 Apr 2024 15:51:07 -0400
Subject: [PATCH 278/298] backend troubleshooting

---
 tofu/modules/services/backend-infra/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index c45052ba5..ba46170ba 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -156,7 +156,7 @@ module "backend_alb" {
         matcher             = "200"
         path                = "/"
         port                = "traffic-port"
-        protocol            = "HTTPS"
+        protocol            = "HTTP"
         timeout             = 5
         unhealthy_threshold = 2
       }

From 616266912171cb62e570b16426a78907033492dc Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Sun, 7 Apr 2024 09:46:44 -0400
Subject: [PATCH 279/298] backend troubleshooting

---
 tofu/modules/services/frontend-infra/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/frontend-infra/main.tf b/tofu/modules/services/frontend-infra/main.tf
index 03eb424cc..706e3caf6 100644
--- a/tofu/modules/services/frontend-infra/main.tf
+++ b/tofu/modules/services/frontend-infra/main.tf
@@ -113,7 +113,7 @@ resource "aws_cloudfront_distribution" "appointment" {
     origin_id   = var.backend_id
     domain_name = var.backend_dns_name
     custom_origin_config {
-      http_port              = 80
+      http_port              = 5000
       https_port             = 5000
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1.2"]

From 212a5723c10619e8984aecb31eac963513237171 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 10 Apr 2024 13:40:46 -0400
Subject: [PATCH 280/298] add api rewriting and x-allow secret generation

---
 tofu/modules/services/frontend-infra/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tofu/modules/services/frontend-infra/main.tf b/tofu/modules/services/frontend-infra/main.tf
index 706e3caf6..03eb424cc 100644
--- a/tofu/modules/services/frontend-infra/main.tf
+++ b/tofu/modules/services/frontend-infra/main.tf
@@ -113,7 +113,7 @@ resource "aws_cloudfront_distribution" "appointment" {
     origin_id   = var.backend_id
     domain_name = var.backend_dns_name
     custom_origin_config {
-      http_port              = 5000
+      http_port              = 80
       https_port             = 5000
       origin_protocol_policy = "https-only"
       origin_ssl_protocols   = ["TLSv1.2"]

From e216f725fddfb3e3812bb2e2e52c13b1847e5a32 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 16 Apr 2024 11:51:13 -0400
Subject: [PATCH 281/298] api uri rewrite update

---
 tofu/modules/services/frontend-infra/main.tf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/tofu/modules/services/frontend-infra/main.tf b/tofu/modules/services/frontend-infra/main.tf
index 03eb424cc..32b71fb88 100644
--- a/tofu/modules/services/frontend-infra/main.tf
+++ b/tofu/modules/services/frontend-infra/main.tf
@@ -216,7 +216,10 @@ resource "aws_cloudfront_function" "rewrite" {
       // If we're not in one of the ignorePaths then force them to /index.html
       request.uri = '/index.html';
     }
-
+    // Remove the index.html default root object added by Cloudfront
+    if (request.uri.endsWith('index.html')) {
+        request.uri = request.uri.replace('index.html', "");
+    }
     // else carry on like normal.
     return request;
   }

From e3d94387527b8d9ca9fd27877a62b45e618e0e00 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 16 Apr 2024 15:32:50 -0400
Subject: [PATCH 282/298] add index.html function

---
 .github/workflows/deploy-frontend.yaml       |  0
 tofu/modules/services/frontend-infra/main.tf | 27 +++++++++++++++++---
 2 files changed, 24 insertions(+), 3 deletions(-)
 delete mode 100644 .github/workflows/deploy-frontend.yaml

diff --git a/.github/workflows/deploy-frontend.yaml b/.github/workflows/deploy-frontend.yaml
deleted file mode 100644
index e69de29bb..000000000
diff --git a/tofu/modules/services/frontend-infra/main.tf b/tofu/modules/services/frontend-infra/main.tf
index 32b71fb88..21d99aeae 100644
--- a/tofu/modules/services/frontend-infra/main.tf
+++ b/tofu/modules/services/frontend-infra/main.tf
@@ -217,15 +217,36 @@ resource "aws_cloudfront_function" "rewrite" {
       request.uri = '/index.html';
     }
     // Remove the index.html default root object added by Cloudfront
-    if (request.uri.endsWith('index.html')) {
-        request.uri = request.uri.replace('index.html', "");
-    }
+    //if (request.uri.endsWith('index.html')) {
+    //    request.uri = request.uri.replace('index.html', "");
+    //}
     // else carry on like normal.
     return request;
   }
   EOT
 }
 
+resource "aws_cloudfront_function" "add_index" {
+  name = "${var.name_prefix}-add-index"
+  runtime = "cloudfront-js-2.0"
+  code = <<EOT
+  async function handler(event) {
+    const request = event.request;
+    const uri = request.uri;
+    
+    // Check whether the URI is missing a file name.
+    if (uri.endsWith('/')) {
+        request.uri += 'index.html';
+    } 
+    // Check whether the URI is missing a file extension.
+    else if (uri == '') {
+        request.uri += '/index.html';
+    }
+
+    return request;
+}
+  EOT
+}
 resource "aws_s3_bucket" "request_logs" {
   bucket        = local.log_bucket
   force_destroy = true

From 95fc9d5c816300c290723d85c2994695ce515a76 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 08:32:33 -0400
Subject: [PATCH 283/298] fix mock execution role & temporailiry disable
 verify-iac for add-tf-iac branch

---
 .github/workflows/primary.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 038e8b1ed..0ce3d0ee5 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -40,7 +40,7 @@ jobs:
 
   verify-iac:
     needs: detect-changes
-    if: github.ref != 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
+    if: github.ref != 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
     strategy:
       max-parallel: 1
       matrix:

From 14b189bae372a1e31e19e62fa1cf81b299c2ef47 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 13:41:39 -0400
Subject: [PATCH 284/298] replacing DB secrets

---
 .github/workflows/primary.yaml                |  1 +
 .../backend-infra/.terraform.lock.hcl         | 37 +++++++++++++++++++
 2 files changed, 38 insertions(+)
 create mode 100644 tofu/modules/services/backend-infra/.terraform.lock.hcl

diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
index 0ce3d0ee5..809bf344a 100644
--- a/.github/workflows/primary.yaml
+++ b/.github/workflows/primary.yaml
@@ -35,6 +35,7 @@ jobs:
               - '.github/workflows/**'
             run-backend:
               - 'backend/**'
+                'tofu/modules/services/backend-service/**'
             run-frontend:
               - 'frontend/**'
 
diff --git a/tofu/modules/services/backend-infra/.terraform.lock.hcl b/tofu/modules/services/backend-infra/.terraform.lock.hcl
new file mode 100644
index 000000000..181a05a23
--- /dev/null
+++ b/tofu/modules/services/backend-infra/.terraform.lock.hcl
@@ -0,0 +1,37 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.45.0"
+  constraints = ">= 4.66.1, >= 5.33.0"
+  hashes = [
+    "h1:3zU3yp1SY+8vHAQvhfhYdPnFYQpFwXXXar+hOrnofzQ=",
+    "zh:1d71c406aeaf4ba762eb62e4595ab9c9f8da1a2c9b74bb4277c0acfd9678ae65",
+    "zh:3b00b13154eadedb37bca99bf7cbd556fa9472e6900c970effa17a270ee9f721",
+    "zh:6f264e8b70153925ac8abfa83ebffe2c2d5a27ab5557a6b16124269b08ac2441",
+    "zh:80f7d552faf5c43d7dc22c6c1f7e70557b9f01c67db07abbb0330d5d3fc0e464",
+    "zh:863a2a2e6ae5b42fc46b209d8f2761c882d46aca481a8c49ef221d290b4fd88e",
+    "zh:8e3bddeb2da7e6bcfd0b0221a083778d2f7fc5cd64f55de7d8d79bd1f7378bae",
+    "zh:c726104e46cd743bbf240101d7975f44091d893b6e97b46070df0041779b04d2",
+    "zh:db73a89b462fdd6eb6f32e6ed464430a895fc2e54fb629e8b99773fc32a6a7a8",
+    "zh:e35179b89eba358f521ffd4546345b4d0683ca3364a9deb8f3b7b4bf60be6f02",
+    "zh:e7b54a0faecd34a9c73729d1d1f0cfc1b8f56bae789f95987002616f1265ce72",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/random" {
+  version = "3.6.1"
+  hashes = [
+    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
+    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
+    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
+    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
+    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
+    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
+    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
+    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
+    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
+    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
+    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
+  ]
+}

From 6db8f1e977f2104078597eb3c29deb1108fba7c5 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Wed, 17 Apr 2024 13:56:13 -0400
Subject: [PATCH 285/298] improve x-allow secret handling

---
 tofu/modules/services/frontend-infra/main.tf | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/tofu/modules/services/frontend-infra/main.tf b/tofu/modules/services/frontend-infra/main.tf
index 21d99aeae..fa6fcc34e 100644
--- a/tofu/modules/services/frontend-infra/main.tf
+++ b/tofu/modules/services/frontend-infra/main.tf
@@ -216,10 +216,6 @@ resource "aws_cloudfront_function" "rewrite" {
       // If we're not in one of the ignorePaths then force them to /index.html
       request.uri = '/index.html';
     }
-    // Remove the index.html default root object added by Cloudfront
-    //if (request.uri.endsWith('index.html')) {
-    //    request.uri = request.uri.replace('index.html', "");
-    //}
     // else carry on like normal.
     return request;
   }
@@ -239,7 +235,7 @@ resource "aws_cloudfront_function" "add_index" {
         request.uri += 'index.html';
     } 
     // Check whether the URI is missing a file extension.
-    else if (uri == '') {
+    else if (!uri.includes('.')) {
         request.uri += '/index.html';
     }
 

From cb1216e7094f265b0e3badf91737a0e02196ca24 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 12:40:20 -0400
Subject: [PATCH 286/298] add smtp outbound

---
 tofu/modules/services/backend-infra/main.tf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index ba46170ba..ebd2ffdb1 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -247,6 +247,24 @@ resource "aws_vpc_security_group_egress_rule" "allow_tls_to_all" {
   cidr_ipv4         = "0.0.0.0/0"
 }
 
+resource "aws_vpc_security_group_egress_rule" "allow_smtp_to_all" {
+  security_group_id = aws_security_group.backend.id
+  description       = "smtp to internet"
+  from_port         = 587
+  to_port           = 587
+  ip_protocol       = "tcp"
+  cidr_ipv4         = "0.0.0.0/0"
+}
+
+resource "aws_vpc_security_group_egress_rule" "allow_smtp_to_all" {
+  security_group_id = aws_security_group.backend.id
+  description       = "smtp to internet"
+  from_port         = 587
+  to_port           = 587
+  ip_protocol       = "tcp"
+  cidr_ipv4         = "0.0.0.0/0"
+}
+
 resource "aws_vpc_security_group_egress_rule" "allow_smtp_to_all" {
   security_group_id = aws_security_group.backend.id
   description       = "smtp to internet"

From 37a89014e9a25f427cc7a527eb648f1b613fb807 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 13:53:09 -0400
Subject: [PATCH 287/298] adjusting provider requirements

---
 tofu/environments/production/services/frontend/terragrunt.hcl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index a3eceb96e..f94fe7781 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -19,6 +19,7 @@ dependency "backend" {
   mock_outputs = {
     alb_id   = "mock_alb_id"
     dns_name = "mock_dns_name"
+    x_allow_secret = "mock_secret"
   }
 }
 
@@ -43,4 +44,5 @@ inputs = {
   ssl_cert         = local.ssl_cert
   backend_id       = dependency.backend.outputs.alb_id
   backend_dns_name = dependency.backend.outputs.dns_name
+  x_allow_secret = dependency.backend.outputs.x_allow_secret
 }
\ No newline at end of file

From 58e768b0095631c78c7a95dc3ff3e6a7712724f1 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Mon, 22 Apr 2024 14:41:09 -0400
Subject: [PATCH 288/298] adjusting provider requirements

---
 .../production/services/backend-infra/terragrunt.hcl             | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tofu/environments/production/services/backend-infra/terragrunt.hcl b/tofu/environments/production/services/backend-infra/terragrunt.hcl
index 5ed033407..93beded47 100644
--- a/tofu/environments/production/services/backend-infra/terragrunt.hcl
+++ b/tofu/environments/production/services/backend-infra/terragrunt.hcl
@@ -47,5 +47,6 @@ inputs = {
   secrets_endpoint_security_group = dependency.vpc.outputs.secrets_endpoint_security_group
   logs_endpoint_security_group    = dependency.vpc.outputs.logs_endpoint_security_group
   database_subnet_cidrs           = dependency.vpc.outputs.database_subnet_cidrs
+  ssl_cert                        = "arn:aws:acm:us-east-1:768512802988:certificate/4a53e27b-0cd3-4855-a13f-5bac50015e43"
   tags                            = local.tags
 }
\ No newline at end of file

From a00112b5bc6f1c52f2780d309d9e5e2f6c2623eb Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Fri, 17 May 2024 13:44:44 -0400
Subject: [PATCH 289/298] general cleanup

---
 .github/workflows/deploy-backend.yaml         | 87 ------------------
 .github/workflows/deploy.yaml                 |  0
 .github/workflows/iac_plan.yaml               |  0
 .github/workflows/iac_validate.yaml           | 26 ------
 .github/workflows/main.yaml                   |  0
 .github/workflows/primary.yaml                | 91 -------------------
 .github/workflows/verify-backend.yaml         | 87 ------------------
 .../prod/data-store/cache/terragrunt.hcl      |  4 +-
 .../services/frontend/terragrunt.hcl          |  6 +-
 .../data-store/cache/.terraform.lock.hcl      | 24 ++---
 .../stage/data-store/cache/terragrunt.hcl     |  4 +-
 .../data-store/database/.terraform.lock.hcl   | 24 ++---
 .../stage/network/vpc/.terraform.lock.hcl     | 24 ++---
 .../backend-infra/.terraform.lock.hcl         | 42 +++------
 .../frontend-infra/.terraform.lock.hcl        | 24 ++---
 tofu/modules/services/backend-infra/main.tf   | 18 ----
 tofu/modules/services/frontend-infra/main.tf  | 29 ------
 17 files changed, 67 insertions(+), 423 deletions(-)
 delete mode 100644 .github/workflows/deploy-backend.yaml
 delete mode 100644 .github/workflows/deploy.yaml
 delete mode 100644 .github/workflows/iac_plan.yaml
 delete mode 100644 .github/workflows/iac_validate.yaml
 delete mode 100644 .github/workflows/main.yaml
 delete mode 100644 .github/workflows/primary.yaml
 delete mode 100644 .github/workflows/verify-backend.yaml

diff --git a/.github/workflows/deploy-backend.yaml b/.github/workflows/deploy-backend.yaml
deleted file mode 100644
index 38e93d2dc..000000000
--- a/.github/workflows/deploy-backend.yaml
+++ /dev/null
@@ -1,87 +0,0 @@
-name: Deploy Backend
-
-# Stop any pending jobs
-concurrency:
-  group: backend
-  cancel-in-progress: true
-
-on:
-  workflow_call:
-    inputs:
-      tf_version:
-        required: true
-        type: string
-      tg_version:
-        required: true
-        type: string
-      aws_region:
-        required: true
-        type: string
-      environment:
-        required: true
-        type: string
-
-env:
-  AWS_REGION: us-east-1
-  ECR_REPOSITORY: appointments
-  ECS_SERVICE: appointments-service
-  ECS_CLUSTER: appointments
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  deploy-backend:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{secrets.IAM_ROLE}}
-        role-session-name: GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{inputs.aws_region}}
-
-    - name: install opentofu
-      uses: opentofu/setup-opentofu@v1
-      with: 
-        tofu_version: ${{inputs.tf_version}}
-        tofu_wrapper: false
-
-    - name: install terragrunt
-      run: |
-        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
-        sudo chmod +x /bin/terragrunt
-        terragrunt -v
-
-    - name: Login to Amazon ECR
-      id: login-ecr
-      uses: aws-actions/amazon-ecr-login@v2
-      with:
-        mask-password: 'true'
-
-    - name: Build, tag, and push backend image to Amazon ECR
-      id: build-backend
-      env:
-        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        IMAGE_TAG: backend-${{ github.sha }}
-      run: |
-        # Build a docker container and
-        # push it to ECR so that it can
-        # be deployed to ECS.
-        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
-        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
-
-    - name: backend-service
-      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
-      run: |
-        terragrunt init
-        terragrunt validate
-        terragrunt plan -var 'image=${{ steps.build-backend.outputs.image_backend }}'
-        terragrunt apply tfplan
-
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
deleted file mode 100644
index e69de29bb..000000000
diff --git a/.github/workflows/iac_plan.yaml b/.github/workflows/iac_plan.yaml
deleted file mode 100644
index e69de29bb..000000000
diff --git a/.github/workflows/iac_validate.yaml b/.github/workflows/iac_validate.yaml
deleted file mode 100644
index 49acd0991..000000000
--- a/.github/workflows/iac_validate.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: validate-iac
-on: 
-  push:
-  workflow_call:
-env:
-  tf_version: '1.6.2'
-  tg_version: '0.55.15'
-  environment: 'stage'
-
-jobs:
-  validate-iac:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: opentofu/setup-opentofu@v1
-        with: 
-          tofu_version: ${{ env.tf_version }}
-      - run: |
-          git clone --depth 1 --branch main https://github.com/tgenv/tgenv.git ~/.tgenv
-          sudo ln -s ~/.tgenv/bin* /usr/local/bin
-          tgenv install ${{ env.tg_version }}
-      - run: |
-          cd ./tofu/environments/${{ env.environment }}/terraform/tfbackend
-          terragrun init
-          terragrunt validate
-
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
deleted file mode 100644
index e69de29bb..000000000
diff --git a/.github/workflows/primary.yaml b/.github/workflows/primary.yaml
deleted file mode 100644
index 809bf344a..000000000
--- a/.github/workflows/primary.yaml
+++ /dev/null
@@ -1,91 +0,0 @@
-name: Primary Workflow
-
-concurrency:
-  group: iac
-  cancel-in-progress: true
-
-on:
-  push:
-
-permissions:
-  id-token: write
-  contents: read
-
-env:
-  TF_VERSION: '1.6.2'
-  TG_VERSION: '0.55.15'
-  AWS_REGION: us-east-1
-
-jobs:
-  detect-changes:
-    runs-on: ubuntu-latest
-    outputs:
-      run-iac: ${{ steps.check.outputs.run-iac }}
-      run-backend: ${{ steps.check.outputs.run-backend }}
-      run-frontend: ${{ steps.check.outputs.run-frontend }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: dorny/paths-filter@v3
-        id: check
-        with:
-          filters: |
-            run-iac:
-              - 'tofu/**'
-              - '.github/workflows/**'
-            run-backend:
-              - 'backend/**'
-                'tofu/modules/services/backend-service/**'
-            run-frontend:
-              - 'frontend/**'
-
-  verify-iac:
-    needs: detect-changes
-    if: github.ref != 'refs/heads/add-tf-iac' && needs.detect-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage, production]
-    uses: ./.github/workflows/verify-iac.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  apply-iac:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-iac == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage]
-    uses: ./.github/workflows/apply-iac.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
-  ci-tests:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && (needs.detect-changes.outputs.run-backend == 'true' || needs.detect-changes.outputs.run-frontend == 'true')
-    uses: ./.github/workflows/ci-tests.yaml
-
-  deploy-backend:
-    needs: detect-changes
-    if: github.ref == 'refs/heads/main' && needs.detect-changes.outputs.run-backend == 'true'
-    strategy:
-      max-parallel: 1
-      matrix:
-        environment: [stage]
-    uses: ./.github/workflows/deploy-backend.yaml
-    with:
-      tf_version: 1.6.2
-      tg_version: 0.55.15
-      aws_region: us-east-1
-      environment: ${{ matrix.environment }}
-    secrets: inherit
-
diff --git a/.github/workflows/verify-backend.yaml b/.github/workflows/verify-backend.yaml
deleted file mode 100644
index 00e8a6cf3..000000000
--- a/.github/workflows/verify-backend.yaml
+++ /dev/null
@@ -1,87 +0,0 @@
-name: Deploy Backend
-
-# Stop any pending jobs
-concurrency:
-  group: backend
-  cancel-in-progress: true
-
-on:
-  workflow_call:
-    inputs:
-      tf_version:
-        required: true
-        type: string
-      tg_version:
-        required: true
-        type: string
-      aws_region:
-        required: true
-        type: string
-      environment:
-        required: true
-        type: string
-
-env:
-  AWS_REGION: us-east-1
-  ECR_REPOSITORY: appointments
-  ECS_SERVICE: appointments-service
-  ECS_CLUSTER: appointments
-  IMAGE: dummyimagename
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  deploy-backend:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        role-to-assume: ${{secrets.IAM_ROLE}}
-        role-session-name: GitHub_to_AWS_via_FederatedOIDC
-        aws-region: ${{inputs.aws_region}}
-
-    - name: install opentofu
-      uses: opentofu/setup-opentofu@v1
-      with: 
-        tofu_version: ${{inputs.tf_version}}
-        tofu_wrapper: false
-
-    - name: install terragrunt
-      run: |
-        sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ inputs.tg_version }}/terragrunt_linux_amd64"
-        sudo chmod +x /bin/terragrunt
-        terragrunt -v
-
-    - name: Login to Amazon ECR
-      id: login-ecr
-      uses: aws-actions/amazon-ecr-login@v2
-      with:
-        mask-password: 'true'
-
-    - name: Build, tag, and push backend image to Amazon ECR
-      id: build-backend
-      env:
-        ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-        IMAGE_TAG: backend-${{ github.sha }}
-      run: |
-        # Build a docker container and
-        # push it to ECR so that it can
-        # be deployed to ECS.
-        docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ./backend -f ./backend/deploy.dockerfile
-        docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
-        echo "image_backend=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
-
-    - name: backend-service
-      working-directory: ./tofu/environments/${{inputs.environment}}/services/backend-service
-      run: |
-        terragrunt init
-        terragrunt validate
-        terragrunt plan -var 'image=$IMAGE'
-
diff --git a/tofu/environments/prod/data-store/cache/terragrunt.hcl b/tofu/environments/prod/data-store/cache/terragrunt.hcl
index 0fe750d09..9011c853d 100644
--- a/tofu/environments/prod/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/prod/data-store/cache/terragrunt.hcl
@@ -18,8 +18,8 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
-    subnets = ["subnet-mocksubnet1234567"]
-    database_subnet_cidrs       = ["subnet-mocksubnet1234567"]
+    subnets                = ["subnet-mocksubnet1234567"]
+    database_subnet_cidrs  = ["subnet-mocksubnet1234567"]
     source_security_groups = ["sg-mocksecuritygroup"]
   }
 }
diff --git a/tofu/environments/production/services/frontend/terragrunt.hcl b/tofu/environments/production/services/frontend/terragrunt.hcl
index f94fe7781..5e4c5e5c6 100644
--- a/tofu/environments/production/services/frontend/terragrunt.hcl
+++ b/tofu/environments/production/services/frontend/terragrunt.hcl
@@ -17,8 +17,8 @@ dependency "backend" {
 
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan", "destroy"]
   mock_outputs = {
-    alb_id   = "mock_alb_id"
-    dns_name = "mock_dns_name"
+    alb_id         = "mock_alb_id"
+    dns_name       = "mock_dns_name"
     x_allow_secret = "mock_secret"
   }
 }
@@ -44,5 +44,5 @@ inputs = {
   ssl_cert         = local.ssl_cert
   backend_id       = dependency.backend.outputs.alb_id
   backend_dns_name = dependency.backend.outputs.dns_name
-  x_allow_secret = dependency.backend.outputs.x_allow_secret
+  x_allow_secret   = dependency.backend.outputs.x_allow_secret
 }
\ No newline at end of file
diff --git a/tofu/environments/stage/data-store/cache/.terraform.lock.hcl b/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
index fa8ff69df..69708e2d9 100644
--- a/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
+++ b/tofu/environments/stage/data-store/cache/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.49.0"
+  version     = "5.50.0"
   constraints = ">= 5.46.0"
   hashes = [
-    "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=",
-    "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794",
-    "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1",
-    "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0",
-    "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881",
-    "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971",
-    "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b",
-    "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853",
-    "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e",
-    "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa",
-    "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981",
+    "h1:ZN7MLKklx+LTYZvRerNw5O2qHA913Xg9eQW99uqfbI8=",
+    "zh:17345c5dee93b49009c7941b1e47bb6fe94376e2d0ffc83bfd80f75c9857e2cd",
+    "zh:2ed80ee2aa5db4fe29700e5488cd67409331a5a586102511a512c34e0f31bc38",
+    "zh:30cbf46810151a2f587bbeb4172e3534186e4cfae03d4d91a90dc4d3b304acb4",
+    "zh:449b4562b8530e2d3e7555d3ed9bc0a5a9ead1067784e86572b26b98f87a073f",
+    "zh:7a853b8ae08304c8d4e8d37a607e21d1a06e0956b3aef9e52b569dc556438d90",
+    "zh:8a6923372241b0b4aa58631e5a9487b6c8eebd456d001422f0b05f707ec29744",
+    "zh:90e1b8c7a51a97d2cae255b225f9260bf75bff72c13b791453fbed8f2d2ac729",
+    "zh:a0b4f62de237913e22387630668a79754fb23c231ea8629615722287cf5e58c5",
+    "zh:c4632d2dad5ec905f625b75b80d996047967c1d2105c11daad8cbc69972fdeda",
+    "zh:ce8866ce789f27e97b890dd8a82dea101deb66daf2e651ed387584aecc51d8b4",
   ]
 }
 
diff --git a/tofu/environments/stage/data-store/cache/terragrunt.hcl b/tofu/environments/stage/data-store/cache/terragrunt.hcl
index 0fe750d09..9011c853d 100644
--- a/tofu/environments/stage/data-store/cache/terragrunt.hcl
+++ b/tofu/environments/stage/data-store/cache/terragrunt.hcl
@@ -18,8 +18,8 @@ dependency "vpc" {
   mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
   mock_outputs = {
     vpc_id                 = "mock_vpc_id"
-    subnets = ["subnet-mocksubnet1234567"]
-    database_subnet_cidrs       = ["subnet-mocksubnet1234567"]
+    subnets                = ["subnet-mocksubnet1234567"]
+    database_subnet_cidrs  = ["subnet-mocksubnet1234567"]
     source_security_groups = ["sg-mocksecuritygroup"]
   }
 }
diff --git a/tofu/environments/stage/data-store/database/.terraform.lock.hcl b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
index 0bcfd9f63..9cf40ccc0 100644
--- a/tofu/environments/stage/data-store/database/.terraform.lock.hcl
+++ b/tofu/environments/stage/data-store/database/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.49.0"
+  version     = "5.50.0"
   constraints = ">= 5.46.0, >= 5.47.0"
   hashes = [
-    "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=",
-    "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794",
-    "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1",
-    "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0",
-    "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881",
-    "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971",
-    "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b",
-    "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853",
-    "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e",
-    "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa",
-    "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981",
+    "h1:ZN7MLKklx+LTYZvRerNw5O2qHA913Xg9eQW99uqfbI8=",
+    "zh:17345c5dee93b49009c7941b1e47bb6fe94376e2d0ffc83bfd80f75c9857e2cd",
+    "zh:2ed80ee2aa5db4fe29700e5488cd67409331a5a586102511a512c34e0f31bc38",
+    "zh:30cbf46810151a2f587bbeb4172e3534186e4cfae03d4d91a90dc4d3b304acb4",
+    "zh:449b4562b8530e2d3e7555d3ed9bc0a5a9ead1067784e86572b26b98f87a073f",
+    "zh:7a853b8ae08304c8d4e8d37a607e21d1a06e0956b3aef9e52b569dc556438d90",
+    "zh:8a6923372241b0b4aa58631e5a9487b6c8eebd456d001422f0b05f707ec29744",
+    "zh:90e1b8c7a51a97d2cae255b225f9260bf75bff72c13b791453fbed8f2d2ac729",
+    "zh:a0b4f62de237913e22387630668a79754fb23c231ea8629615722287cf5e58c5",
+    "zh:c4632d2dad5ec905f625b75b80d996047967c1d2105c11daad8cbc69972fdeda",
+    "zh:ce8866ce789f27e97b890dd8a82dea101deb66daf2e651ed387584aecc51d8b4",
   ]
 }
 
diff --git a/tofu/environments/stage/network/vpc/.terraform.lock.hcl b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
index 1b7a13847..944d72967 100644
--- a/tofu/environments/stage/network/vpc/.terraform.lock.hcl
+++ b/tofu/environments/stage/network/vpc/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.49.0"
+  version     = "5.50.0"
   constraints = ">= 4.0.0, >= 5.30.0, >= 5.46.0"
   hashes = [
-    "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=",
-    "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794",
-    "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1",
-    "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0",
-    "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881",
-    "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971",
-    "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b",
-    "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853",
-    "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e",
-    "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa",
-    "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981",
+    "h1:ZN7MLKklx+LTYZvRerNw5O2qHA913Xg9eQW99uqfbI8=",
+    "zh:17345c5dee93b49009c7941b1e47bb6fe94376e2d0ffc83bfd80f75c9857e2cd",
+    "zh:2ed80ee2aa5db4fe29700e5488cd67409331a5a586102511a512c34e0f31bc38",
+    "zh:30cbf46810151a2f587bbeb4172e3534186e4cfae03d4d91a90dc4d3b304acb4",
+    "zh:449b4562b8530e2d3e7555d3ed9bc0a5a9ead1067784e86572b26b98f87a073f",
+    "zh:7a853b8ae08304c8d4e8d37a607e21d1a06e0956b3aef9e52b569dc556438d90",
+    "zh:8a6923372241b0b4aa58631e5a9487b6c8eebd456d001422f0b05f707ec29744",
+    "zh:90e1b8c7a51a97d2cae255b225f9260bf75bff72c13b791453fbed8f2d2ac729",
+    "zh:a0b4f62de237913e22387630668a79754fb23c231ea8629615722287cf5e58c5",
+    "zh:c4632d2dad5ec905f625b75b80d996047967c1d2105c11daad8cbc69972fdeda",
+    "zh:ce8866ce789f27e97b890dd8a82dea101deb66daf2e651ed387584aecc51d8b4",
   ]
 }
 
diff --git a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
index d45066419..fbcda8815 100644
--- a/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/backend-infra/.terraform.lock.hcl
@@ -2,38 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.49.0"
+  version     = "5.50.0"
   constraints = ">= 4.66.1, >= 5.46.0"
   hashes = [
-    "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=",
-    "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794",
-    "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1",
-    "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0",
-    "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881",
-    "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971",
-    "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b",
-    "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853",
-    "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e",
-    "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa",
-    "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981",
-  ]
-}
-
-provider "registry.opentofu.org/hashicorp/random" {
-  version     = "3.6.1"
-  constraints = ">= 3.6.1"
-  hashes = [
-    "h1:egGGMQ18ihxoFBTgL/6aRL2N5/0bTI738Mg+TTsvBHA=",
-    "zh:1208af24d1f66e858740812dd5da12e8951b1ca75cc6edb1975ba22bfdeefb1b",
-    "zh:19137e9b4d3c15e1d99d2352888b98ec0e69bd5b2e89049150379d7bbd115063",
-    "zh:26613834a1a8ac60390c7a4cbd4cb794b01dfe237d2b0c10f132f3e434a21e03",
-    "zh:2cbe4425918f3f401609d89e6381f7d120493d637a3d103d827f0c0fd00b1600",
-    "zh:44ef27a972540435efa88f323280f96d6ac77934079225e7fcc3560cc28aae59",
-    "zh:8c5d4ca7d1ce007f7c055807cde77aad4685eb807ff802c93ffbec8589068f17",
-    "zh:9a4fa908d6af48805c862cd4f3a1031d552b96d863a94263e390ac92915d74a9",
-    "zh:ba396849f0f6d488784f6039095634e1c84e67e31375f3d17218fcf8ce952cb8",
-    "zh:cb695db8798957bd64ce411f061307e39cb2baa69668b4d42ccf010db47d2e39",
-    "zh:d02704bf99a93dc0b1ca00bd6051df9c431fbe17cd662a1ab58db1b96264a26f",
+    "h1:ZN7MLKklx+LTYZvRerNw5O2qHA913Xg9eQW99uqfbI8=",
+    "zh:17345c5dee93b49009c7941b1e47bb6fe94376e2d0ffc83bfd80f75c9857e2cd",
+    "zh:2ed80ee2aa5db4fe29700e5488cd67409331a5a586102511a512c34e0f31bc38",
+    "zh:30cbf46810151a2f587bbeb4172e3534186e4cfae03d4d91a90dc4d3b304acb4",
+    "zh:449b4562b8530e2d3e7555d3ed9bc0a5a9ead1067784e86572b26b98f87a073f",
+    "zh:7a853b8ae08304c8d4e8d37a607e21d1a06e0956b3aef9e52b569dc556438d90",
+    "zh:8a6923372241b0b4aa58631e5a9487b6c8eebd456d001422f0b05f707ec29744",
+    "zh:90e1b8c7a51a97d2cae255b225f9260bf75bff72c13b791453fbed8f2d2ac729",
+    "zh:a0b4f62de237913e22387630668a79754fb23c231ea8629615722287cf5e58c5",
+    "zh:c4632d2dad5ec905f625b75b80d996047967c1d2105c11daad8cbc69972fdeda",
+    "zh:ce8866ce789f27e97b890dd8a82dea101deb66daf2e651ed387584aecc51d8b4",
   ]
 }
 
diff --git a/tofu/environments/stage/services/frontend-infra/.terraform.lock.hcl b/tofu/environments/stage/services/frontend-infra/.terraform.lock.hcl
index fa8ff69df..69708e2d9 100644
--- a/tofu/environments/stage/services/frontend-infra/.terraform.lock.hcl
+++ b/tofu/environments/stage/services/frontend-infra/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.49.0"
+  version     = "5.50.0"
   constraints = ">= 5.46.0"
   hashes = [
-    "h1:AZ3scqlcBQlDVHe8nnUIpsE9VlcjD/uN86p9WSTPjfE=",
-    "zh:322e5ff7b3a1059b74d656eb16e56e4e0c5ac892fd80593959b4a1ffe558b794",
-    "zh:3a393b4b5b371dd390a1fc60d532cb0dd3bb4e092a3965f125f35e82ead704b1",
-    "zh:7b42169c170ce122ecdede71af8ab229b74b27be30f731a3e682db8d4bb80cb0",
-    "zh:7e2ac928ffcb4cf74eba3abb1e0b57fe3d19703a20068531c3329721dc0a4881",
-    "zh:9bc1df526041b3b0b773bb435015d04bdd12ae06e93a849cf60f0db5d8679971",
-    "zh:9db31718f4a1bb48633414ee960a13005d8c1f4504dbd8ec594b370f664ea94b",
-    "zh:abb6afcb0e16f0e1db7e122ae185cf214d7a3000eb9b223d980aed6e7a7b5853",
-    "zh:b78ebff83350ded37a7dbaf9124ce0fdf5e374eec645559cc0f8d72f2ac9327e",
-    "zh:cf0c600d1157487467df4813aa5b6e7201159e95ce7849f57bffedca92641bfa",
-    "zh:da8cd355307f653fb457b5e65a6bf465e1d88a36ef8388723833b3dce408d981",
+    "h1:ZN7MLKklx+LTYZvRerNw5O2qHA913Xg9eQW99uqfbI8=",
+    "zh:17345c5dee93b49009c7941b1e47bb6fe94376e2d0ffc83bfd80f75c9857e2cd",
+    "zh:2ed80ee2aa5db4fe29700e5488cd67409331a5a586102511a512c34e0f31bc38",
+    "zh:30cbf46810151a2f587bbeb4172e3534186e4cfae03d4d91a90dc4d3b304acb4",
+    "zh:449b4562b8530e2d3e7555d3ed9bc0a5a9ead1067784e86572b26b98f87a073f",
+    "zh:7a853b8ae08304c8d4e8d37a607e21d1a06e0956b3aef9e52b569dc556438d90",
+    "zh:8a6923372241b0b4aa58631e5a9487b6c8eebd456d001422f0b05f707ec29744",
+    "zh:90e1b8c7a51a97d2cae255b225f9260bf75bff72c13b791453fbed8f2d2ac729",
+    "zh:a0b4f62de237913e22387630668a79754fb23c231ea8629615722287cf5e58c5",
+    "zh:c4632d2dad5ec905f625b75b80d996047967c1d2105c11daad8cbc69972fdeda",
+    "zh:ce8866ce789f27e97b890dd8a82dea101deb66daf2e651ed387584aecc51d8b4",
   ]
 }
 
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index ebd2ffdb1..ba46170ba 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -247,24 +247,6 @@ resource "aws_vpc_security_group_egress_rule" "allow_tls_to_all" {
   cidr_ipv4         = "0.0.0.0/0"
 }
 
-resource "aws_vpc_security_group_egress_rule" "allow_smtp_to_all" {
-  security_group_id = aws_security_group.backend.id
-  description       = "smtp to internet"
-  from_port         = 587
-  to_port           = 587
-  ip_protocol       = "tcp"
-  cidr_ipv4         = "0.0.0.0/0"
-}
-
-resource "aws_vpc_security_group_egress_rule" "allow_smtp_to_all" {
-  security_group_id = aws_security_group.backend.id
-  description       = "smtp to internet"
-  from_port         = 587
-  to_port           = 587
-  ip_protocol       = "tcp"
-  cidr_ipv4         = "0.0.0.0/0"
-}
-
 resource "aws_vpc_security_group_egress_rule" "allow_smtp_to_all" {
   security_group_id = aws_security_group.backend.id
   description       = "smtp to internet"
diff --git a/tofu/modules/services/frontend-infra/main.tf b/tofu/modules/services/frontend-infra/main.tf
index fa6fcc34e..f00e0c0c3 100644
--- a/tofu/modules/services/frontend-infra/main.tf
+++ b/tofu/modules/services/frontend-infra/main.tf
@@ -87,7 +87,6 @@ data "aws_secretsmanager_secret_version" "x_allow_value" {
 resource "aws_cloudfront_distribution" "appointment" {
   comment = "appointment ${var.environment} frontend"
   enabled = true
-  //default_root_object = "index.html"
 
   aliases = ["${var.environment}.appointment.day"]
 
@@ -96,13 +95,6 @@ resource "aws_cloudfront_distribution" "appointment" {
     include_cookies = true
   }
 
-  aliases = ["${var.environment}.appointment.day"]
-
-  logging_config {
-    bucket = "${aws_s3_bucket.request_logs.id}.s3.amazonaws.com"
-    include_cookies = true
-  }
-
   origin {
     origin_id                = "${var.name_prefix}-frontend"
     domain_name              = aws_s3_bucket.frontend.bucket_domain_name
@@ -222,27 +214,6 @@ resource "aws_cloudfront_function" "rewrite" {
   EOT
 }
 
-resource "aws_cloudfront_function" "add_index" {
-  name = "${var.name_prefix}-add-index"
-  runtime = "cloudfront-js-2.0"
-  code = <<EOT
-  async function handler(event) {
-    const request = event.request;
-    const uri = request.uri;
-    
-    // Check whether the URI is missing a file name.
-    if (uri.endsWith('/')) {
-        request.uri += 'index.html';
-    } 
-    // Check whether the URI is missing a file extension.
-    else if (!uri.includes('.')) {
-        request.uri += '/index.html';
-    }
-
-    return request;
-}
-  EOT
-}
 resource "aws_s3_bucket" "request_logs" {
   bucket        = local.log_bucket
   force_destroy = true

From a9120b8513c16bc77f8d33fb56e3fba894548c0c Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Fri, 17 May 2024 14:14:27 -0400
Subject: [PATCH 290/298] add cloudfront invalidation to deploy

---
 .github/workflows/deploy-production.yml        | 13 ++++++++++++-
 .github/workflows/deploy-staging.yml           | 15 +++++++++++----
 tofu/modules/services/frontend-infra/output.tf |  4 ++++
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index d006fdbba..677eb8cf6 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -18,6 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       bucket: ${{ steps.output-bucket-name.outputs.bucket }}
+      cloudfront_id: ${{ steps.output-cloudfront-distro.outputs.cloudfront_id }}
 #    env:
 #      TF_VAR_region: ${{ vars.AWS_REGION }}
 #      TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
@@ -102,6 +103,13 @@ jobs:
           output=$(terragrunt output bucket_name | tr -d '"')
           echo bucket=$output >> $GITHUB_OUTPUT
 
+      - name: output-cloudfront-distro
+        id: output-cloudfront-distro
+        working-directory: ./tofu/environments/stage/services/frontend-infra
+        run: |
+          output=$(terragrunt output cloudfront_id)
+          echo cloudfront_id=$output >> $GITHUB_OUTPUT
+
   release-production:
     name: Release to Production
     needs: deploy-iac
@@ -151,4 +159,7 @@ jobs:
 #          terragrunt apply tfplan
 
 #      - name: Deploy frontend to S3
-#        run: aws s3 sync ./frontend/frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
\ No newline at end of file
+#        run: aws s3 sync ./frontend/frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
+
+      - name: Invalidate Cloudfront cache
+        run: aws cloudfront create-invalidation --distribution-id ${{ needs.deploy-iac.outputs.cloudfront_id }} --paths "/*"
\ No newline at end of file
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index efa86d480..45ece1502 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -48,6 +48,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       bucket: ${{ steps.output-bucket-name.outputs.bucket }}
+      cloudfront_id: ${{ steps.output-cloudfront-distro.outputs.cloudfront_id }}
     env:
       TF_VAR_region: ${{ vars.AWS_REGION }}
       TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }}
@@ -132,6 +133,13 @@ jobs:
           output=$(terragrunt output bucket_name | tr -d '"')
           echo bucket=$output >> $GITHUB_OUTPUT
 
+      - name: output-cloudfront-distro
+        id: output-cloudfront-distro
+        working-directory: ./tofu/environments/stage/services/frontend-infra
+        run: |
+          output=$(terragrunt output cloudfront_id)
+          echo cloudfront_id=$output >> $GITHUB_OUTPUT
+
   deploy-frontend:
     needs:
       - detect-changes
@@ -168,10 +176,9 @@ jobs:
           role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{ vars.AWS_REGION }}
 
-#      - name: Build frontend archive
-#        run: |
-#          zip -r frontend.zip frontend/dist
-#      
+      - name: Invalidate Cloudfront cache
+        run: aws cloudfront create-invalidation --distribution-id ${{ needs.deploy-iac.outputs.cloudfront_id }} --paths "/*"
+
       - name: Archive Frontend
         uses: actions/upload-artifact@v4
         with:
diff --git a/tofu/modules/services/frontend-infra/output.tf b/tofu/modules/services/frontend-infra/output.tf
index cc455bb84..a64278fd5 100644
--- a/tofu/modules/services/frontend-infra/output.tf
+++ b/tofu/modules/services/frontend-infra/output.tf
@@ -9,3 +9,7 @@ output "bucket_name" {
 output "cloudfront_arn" {
   value = aws_cloudfront_distribution.appointment.arn
 }
+
+output "cloudfront_id" {
+  value = aws_cloudfront_distribution.appointment.id
+}
\ No newline at end of file

From ef0145698384e533adbd9860aecdef2f9afc7aef Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Fri, 17 May 2024 14:34:43 -0400
Subject: [PATCH 291/298] cleanup & add taskdef output

---
 tofu/modules/services/backend-service/outputs.tf               | 3 +++
 tofu/modules/services/frontend-infra/{output.tf => outputs.tf} | 0
 2 files changed, 3 insertions(+)
 create mode 100644 tofu/modules/services/backend-service/outputs.tf
 rename tofu/modules/services/frontend-infra/{output.tf => outputs.tf} (100%)

diff --git a/tofu/modules/services/backend-service/outputs.tf b/tofu/modules/services/backend-service/outputs.tf
new file mode 100644
index 000000000..fa5db1956
--- /dev/null
+++ b/tofu/modules/services/backend-service/outputs.tf
@@ -0,0 +1,3 @@
+output "taskdef_arn" {
+  value = aws_ecs_task_definition.backend.arn
+}
\ No newline at end of file
diff --git a/tofu/modules/services/frontend-infra/output.tf b/tofu/modules/services/frontend-infra/outputs.tf
similarity index 100%
rename from tofu/modules/services/frontend-infra/output.tf
rename to tofu/modules/services/frontend-infra/outputs.tf

From dd893f9d16ef6e6e24e80f5a8e9f54d39a198a25 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Fri, 17 May 2024 14:47:17 -0400
Subject: [PATCH 292/298] comment fix & deployment test

---
 .github/workflows/deploy-staging.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 45ece1502..18523ac44 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -12,7 +12,7 @@ on:
 
 permissions:
   id-token: write   # This is required for requesting the JWT
-  contents: write    # This is required for actions/checkout
+  contents: write   # This is required to create a release
 
 jobs:
   detect-changes:

From 508c2d3ecf918d2f6a01776179545540bb968005 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Fri, 17 May 2024 15:30:59 -0400
Subject: [PATCH 293/298] enable TLS for redis

---
 tofu/modules/services/backend-service/main.tf | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index 66ed96f41..948ff1939 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -117,6 +117,10 @@ resource "aws_ecs_task_definition" "backend" {
         {
           "name": "REDIS_DB",
           "value": "0"
+        },
+        {
+          "name": "REDIS_USE_SSL",
+          "value": "True"
         }
       ],
       secrets = [

From 179397d4219200cfe83b9d5b5ae622e7ba7d1326 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Fri, 17 May 2024 15:43:39 -0400
Subject: [PATCH 294/298] disable redis TLS until further testing

---
 tofu/modules/services/backend-service/main.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index 948ff1939..c838ca606 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -108,19 +108,19 @@ resource "aws_ecs_task_definition" "backend" {
         },
         {
           "name": "REDIS_URL",
-          "value": var.redis_endpoint
+          "value": "" #var.redis_endpoint
         },
         {
           "name": "REDIS_PORT",
-          "value": "6379"
+          "value": "" #"6379"
         },
         {
           "name": "REDIS_DB",
-          "value": "0"
+          "value": "" #"0"
         },
         {
           "name": "REDIS_USE_SSL",
-          "value": "True"
+          "value": "" #"True"
         }
       ],
       secrets = [

From 6536a8fc1b1250f789c051b27eb1242c38b0dbf0 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Fri, 17 May 2024 15:54:56 -0400
Subject: [PATCH 295/298] disable redis TLS until further testing

---
 tofu/modules/services/backend-service/main.tf | 34 +++++++++----------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index c838ca606..6d3b78ba7 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -105,23 +105,23 @@ resource "aws_ecs_task_definition" "backend" {
         {
           "name" : "JWT_EXPIRE_IN_MINS",
           "value" : "10000"
-        },
-        {
-          "name": "REDIS_URL",
-          "value": "" #var.redis_endpoint
-        },
-        {
-          "name": "REDIS_PORT",
-          "value": "" #"6379"
-        },
-        {
-          "name": "REDIS_DB",
-          "value": "" #"0"
-        },
-        {
-          "name": "REDIS_USE_SSL",
-          "value": "" #"True"
-        }
+        }#,
+        #{
+        #  "name": "REDIS_URL",
+        #  "value": "" #var.redis_endpoint
+        #},
+        #{
+        #  "name": "REDIS_PORT",
+        #  "value": "" #"6379"
+        #},
+        #{
+        #  "name": "REDIS_DB",
+        #  "value": "" #"0"
+        #},
+        #{
+        #  "name": "REDIS_USE_SSL",
+        #  "value": "" #"True"
+        #}
       ],
       secrets = [
         {

From b2342bb0f4c540338a673f4d14b676df60de66e5 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 21 May 2024 08:14:57 -0400
Subject: [PATCH 296/298] preparing to merge

---
 .github/workflows/deploy-production.yml       | 70 +++++++++----------
 .github/workflows/deploy-staging.yml          |  1 -
 tofu/modules/services/backend-service/main.tf |  5 +-
 3 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 677eb8cf6..60e7590d5 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -55,45 +55,45 @@ jobs:
           sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64"
           sudo chmod +x /bin/terragrunt
           terragrunt -v
-#
-#      - name: vpc
-#        working-directory: ./tofu/environments/stage/network/vpc
-#        run: |
-#          terragrunt init -upgrade
-#          terragrunt validate
-#          terragrunt plan -out tfplan
+
+      - name: vpc
+        working-directory: ./tofu/environments/stage/network/vpc
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
 #          terragrunt apply tfplan
-#
-#      - name: backend-infra
-#        working-directory: ./tofu/environments/stage/services/backend-infra
-#        run: |
-#          terragrunt init -upgrade
-#          terragrunt validate
-#          terragrunt plan -out tfplan
+
+      - name: backend-infra
+        working-directory: ./tofu/environments/stage/services/backend-infra
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
 #          terragrunt apply tfplan
-#
-#      - name: cache
-#        working-directory: ./tofu/environments/stage/data-store/cache
-#        run: |
-#          terragrunt init -upgrade
-#          terragrunt validate
-#          terragrunt plan -out tfplan
+
+      - name: cache
+        working-directory: ./tofu/environments/stage/data-store/cache
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
 #          terragrunt apply tfplan
-#
-#      - name: database
-#        working-directory: ./tofu/environments/stage/data-store/database
-#        run: |
-#          terragrunt init -upgrade
-#          terragrunt validate
-#          terragrunt plan -out tfplan
+
+      - name: database
+        working-directory: ./tofu/environments/stage/data-store/database
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
 #          terragrunt apply tfplan
-#          
-#      - name: frontend-infra
-#        working-directory: ./tofu/environments/stage/services/frontend-infra
-#        run: |
-#          terragrunt init -upgrade
-#          terragrunt validate
-#          terragrunt plan -out tfplan
+          
+      - name: frontend-infra
+        working-directory: ./tofu/environments/stage/services/frontend-infra
+        run: |
+          terragrunt init -upgrade
+          terragrunt validate
+          terragrunt plan -out tfplan
 #          terragrunt apply tfplan
 
       - name: output-bucket-name
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
index 18523ac44..46982c571 100644
--- a/.github/workflows/deploy-staging.yml
+++ b/.github/workflows/deploy-staging.yml
@@ -8,7 +8,6 @@ on:
   push:
     branches:
       - main
-      - add-tf-iac
 
 permissions:
   id-token: write   # This is required for requesting the JWT
diff --git a/tofu/modules/services/backend-service/main.tf b/tofu/modules/services/backend-service/main.tf
index 6d3b78ba7..9bd81da7a 100644
--- a/tofu/modules/services/backend-service/main.tf
+++ b/tofu/modules/services/backend-service/main.tf
@@ -105,7 +105,8 @@ resource "aws_ecs_task_definition" "backend" {
         {
           "name" : "JWT_EXPIRE_IN_MINS",
           "value" : "10000"
-        }#,
+        # Redis integration disabled pending application code updates
+        #},
         #{
         #  "name": "REDIS_URL",
         #  "value": "" #var.redis_endpoint
@@ -121,7 +122,7 @@ resource "aws_ecs_task_definition" "backend" {
         #{
         #  "name": "REDIS_USE_SSL",
         #  "value": "" #"True"
-        #}
+        }
       ],
       secrets = [
         {

From ff716759a4d74b29307c509032d18032821203de Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 21 May 2024 08:19:26 -0400
Subject: [PATCH 297/298] add production backend-service code

---
 .../services/backend-service/terragrunt.hcl   | 90 +++++++++++++++++++
 tofu/modules/services/backend-infra/main.tf   |  2 +-
 2 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 tofu/environments/production/services/backend-service/terragrunt.hcl

diff --git a/tofu/environments/production/services/backend-service/terragrunt.hcl b/tofu/environments/production/services/backend-service/terragrunt.hcl
new file mode 100644
index 000000000..2a2243204
--- /dev/null
+++ b/tofu/environments/production/services/backend-service/terragrunt.hcl
@@ -0,0 +1,90 @@
+include "root" {
+  path   = find_in_parent_folders()
+  expose = true
+}
+
+include "env" {
+  path   = find_in_parent_folders("environment.hcl")
+  expose = true
+}
+
+terraform {
+  source = "../../../../modules/services/backend-service"
+}
+
+dependency "vpc" {
+  config_path = "../../network/vpc"
+
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
+  mock_outputs = {
+    private_subnets    = ["subnet-mocksubnet1234567"]
+    ecs_execution_role = "arn:aws:iam::768512802988:role/mockrolearn"
+  }
+}
+
+dependency "backend-infra" {
+  config_path = "../backend-infra"
+
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
+  mock_outputs = {
+    target_group_arn  = "arn:aws:elasticloadbalancing:us-east-1:768512802988:targetgroup/mocktg/12345678901234"
+    log_group         = "MOCK_LOGS"
+    cluster_id        = "MOCK_CLUSTER_ID"
+    security_group_id = "MOCK_SG"
+  }
+}
+
+dependency "database" {
+  config_path = "../../data-store/database"
+
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
+  mock_outputs = {
+    db_secret = "arn:aws:secretsmanager:us-east-1:768512802988:secret:mocksecretarn"
+  }
+}
+
+dependency "cache" {
+  config_path = "../../data-store/cache"
+
+  mock_outputs_allowed_terraform_commands = ["init", "validate", "plan"]
+  mock_outputs = {
+    redis_endpoint = "mockcache.serverless.use1.cache.amazonaws.com"
+  }
+}
+
+locals {
+  environment      = get_env("TF_VAR_environment")
+  name_prefix      = get_env("TF_VAR_name_prefix")
+  region           = get_env("TF_VAR_region")
+  project          = include.root.locals.project
+  short_name       = include.root.locals.short_name
+  project_tags     = include.root.locals.tags
+  environment_tags = include.env.locals.tags
+  tags             = "${merge(local.project_tags, local.environment_tags)}"
+}
+
+inputs = {
+  name_prefix         = local.name_prefix
+  region              = local.region
+  subnets             = dependency.vpc.outputs.private_subnets
+  log_group           = dependency.backend-infra.outputs.log_group
+  target_group_arn    = dependency.backend-infra.outputs.target_group_arn
+  security_group      = dependency.backend-infra.outputs.security_group_id
+  ecs_cluster         = dependency.backend-infra.outputs.cluster_id
+  task_execution_role = dependency.vpc.outputs.ecs_execution_role
+  frontend_url        = get_env("TF_VAR_frontend_url")
+  short_base_url      = get_env("TF_VAR_short_base_url")
+  app_env             = get_env("TF_VAR_app_env")
+  sentry_dsn          = get_env("TF_VAR_sentry_dsn")
+  zoom_auth_callback  = get_env("TF_VAR_zoom_callback")
+  short_name          = local.short_name
+  database_secret     = dependency.database.outputs.db_secret
+  db_enc_secret       = get_env("TF_VAR_db_enc_secret")
+  smtp_secret         = get_env("TF_VAR_smtp_secret")
+  google_oauth_secret = get_env("TF_VAR_google_oauth_secret")
+  zoom_secret         = get_env("TF_VAR_zoom_secret")
+  fxa_secret          = get_env("TF_VAR_fxa_secret")
+  log_level           = get_env("TF_VAR_log_level")
+  redis_endpoint      = dependency.cache.outputs.endpoint
+  tags                = local.tags
+}
\ No newline at end of file
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index ba46170ba..5d98b5012 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -73,7 +73,7 @@ module "backend_alb" {
   vpc_id  = var.vpc
   subnets = var.subnets
 
-  enable_deletion_protection = false #var.environment != "sandbox" ? true : false
+  enable_deletion_protection = var.environment == "production" ? true : false
 
   security_group_ingress_rules = {
     inbound_5000 = {

From 92fdaabb3e55f07be7f094310eda5d9120f1aa73 Mon Sep 17 00:00:00 2001
From: Jo <jdbass@users.noreply.github.com>
Date: Tue, 21 May 2024 15:09:51 -0400
Subject: [PATCH 298/298] merge fixes and comments for clarity

---
 .github/workflows/deploy-production.yml     | 13 +++++++------
 tofu/environments/stage/environment.hcl     |  4 ----
 tofu/modules/services/backend-infra/main.tf |  9 ---------
 3 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
index 60e7590d5..979798911 100644
--- a/.github/workflows/deploy-production.yml
+++ b/.github/workflows/deploy-production.yml
@@ -62,7 +62,7 @@ jobs:
           terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
-#          terragrunt apply tfplan
+#          terragrunt apply tfplan  # will be re-enabled once release workflow is tested
 
       - name: backend-infra
         working-directory: ./tofu/environments/stage/services/backend-infra
@@ -70,7 +70,7 @@ jobs:
           terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
-#          terragrunt apply tfplan
+#          terragrunt apply tfplan # will be re-enabled once release workflow is tested
 
       - name: cache
         working-directory: ./tofu/environments/stage/data-store/cache
@@ -78,7 +78,7 @@ jobs:
           terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
-#          terragrunt apply tfplan
+#          terragrunt apply tfplan # will be re-enabled once release workflow is tested
 
       - name: database
         working-directory: ./tofu/environments/stage/data-store/database
@@ -86,7 +86,7 @@ jobs:
           terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
-#          terragrunt apply tfplan
+#          terragrunt apply tfplan # will be re-enabled once release workflow is tested
           
       - name: frontend-infra
         working-directory: ./tofu/environments/stage/services/frontend-infra
@@ -94,7 +94,7 @@ jobs:
           terragrunt init -upgrade
           terragrunt validate
           terragrunt plan -out tfplan
-#          terragrunt apply tfplan
+#          terragrunt apply tfplan # will be re-enabled once release workflow is tested
 
       - name: output-bucket-name
         id: output-bucket-name
@@ -156,8 +156,9 @@ jobs:
           terragrunt validate
           terragrunt plan -var "image=$(cat steps.get_ecr_tag.outputs.*)" -out tfplan
           cat tfplan
-#          terragrunt apply tfplan
+#          terragrunt apply tfplan # will be re-enabled once release workflow is tested
 
+# will be re-enabled once release workflow is tested
 #      - name: Deploy frontend to S3
 #        run: aws s3 sync ./frontend/frontend/dist "s3://${{ needs.deploy-iac.outputs.bucket }}"
 
diff --git a/tofu/environments/stage/environment.hcl b/tofu/environments/stage/environment.hcl
index 17fcc14ec..13b0a99d8 100644
--- a/tofu/environments/stage/environment.hcl
+++ b/tofu/environments/stage/environment.hcl
@@ -23,10 +23,6 @@ generate "versions" {
           source = "hashicorp/random"
           version = ">= 3.6.1"
         }
-        random = {
-          source = "hashicorp/random"
-          version = ">= 3.6.1"
-        }
       }
     }
 EOF
diff --git a/tofu/modules/services/backend-infra/main.tf b/tofu/modules/services/backend-infra/main.tf
index 5d98b5012..27348f63b 100644
--- a/tofu/modules/services/backend-infra/main.tf
+++ b/tofu/modules/services/backend-infra/main.tf
@@ -27,15 +27,6 @@ resource "random_string" "x_allow_suffix" {
   special = false
   upper   = true
 }
-
-resource "random_string" "x_allow_suffix" {
-  length = 8
-  lower = true
-  numeric = false
-  special = false
-  upper = true
-}
-
 resource "aws_secretsmanager_secret" "x_allow_secret" {
   name = "${var.name_prefix}-x-allow-secret-${random_string.x_allow_suffix.result}"
 }