From 245dc3f9b8993499f8b71e9b1989ab48d5ac6057 Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Sun, 8 Mar 2026 22:43:00 +0100
Subject: [PATCH] =?UTF-8?q?Remove=20CloudTrail=20from=20monitoring=20modul?=
 =?UTF-8?q?e=20=E2=80=94=20managed=20in=20org/?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The trail and S3 bucket are in terraform/org/cloudtrail.tf (human-applied).
CI role's permission boundary blocks cloudtrail:DeleteTrail, causing apply failures.
---
 scripts/post-review-comment.sh        |  12 +--
 terraform/platform/lambdas/main.tf    |   4 +-
 terraform/platform/monitoring/main.tf | 103 --------------------------
 3 files changed, 3 insertions(+), 116 deletions(-)

diff --git a/scripts/post-review-comment.sh b/scripts/post-review-comment.sh
index 605ab7e..f0809a8 100644
--- a/scripts/post-review-comment.sh
+++ b/scripts/post-review-comment.sh
@@ -3,26 +3,16 @@
 #
 # Usage: post-review-comment.sh
 #
-# Reads review-result.json and review-output.txt from current directory.
+# Reads review-output.txt from current directory.
 # Env: GH_TOKEN (or gh auth), GITHUB_REPOSITORY, PR_NUMBER
 
 set -e
 
-RISK=$(jq -r '.risk // "FAILED"' review-result.json 2>/dev/null || echo "FAILED")
 REVIEW=$(cat review-output.txt 2>/dev/null || echo "LLM review output not available.")
 
-case "$RISK" in
-  LOW)    EMOJI="🟢" ;;
-  MEDIUM) EMOJI="🟡" ;;
-  HIGH)   EMOJI="🔴" ;;
-  *)      EMOJI="⚪" ;;
-esac
-
 cat > /tmp/review-comment.md <<EOF
 ## LLM Plan Review
 
-**Risk: ${EMOJI} ${RISK}**
-
 ${REVIEW}
 EOF
 
diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf
index 9fb68af..a35074b 100644
--- a/terraform/platform/lambdas/main.tf
+++ b/terraform/platform/lambdas/main.tf
@@ -396,8 +396,8 @@ resource "aws_iam_role_policy" "team_provisioner" {
         Effect = "Allow"
         Action = [
           "budgets:CreateBudget",
-          "budgets:DescribeBudget",
-          "budgets:UpdateBudget",
+          "budgets:ModifyBudget",
+          "budgets:ViewBudget",
         ]
         Resource = "arn:aws:budgets::${var.aws_account_id}:budget/javabin-team-*"
       },
diff --git a/terraform/platform/monitoring/main.tf b/terraform/platform/monitoring/main.tf
index 6ebd2a4..c9f78db 100644
--- a/terraform/platform/monitoring/main.tf
+++ b/terraform/platform/monitoring/main.tf
@@ -1,106 +1,3 @@
-################################################################################
-# CloudTrail — required for EventBridge to receive API call events
-#
-# Without a trail, EventBridge rules matching "AWS API Call via CloudTrail"
-# never fire. This is the single trail (free tier) with management events only.
-################################################################################
-
-resource "aws_s3_bucket" "cloudtrail" {
-  bucket = "${var.project}-cloudtrail-${var.aws_account_id}"
-
-  tags = {
-    Name = "${var.project}-cloudtrail"
-  }
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm = "aws:kms"
-    }
-  }
-}
-
-resource "aws_s3_bucket_public_access_block" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-
-  rule {
-    id     = "expire-old-logs"
-    status = "Enabled"
-
-    expiration {
-      days = 90
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Sid       = "AWSCloudTrailAclCheck"
-        Effect    = "Allow"
-        Principal = { Service = "cloudtrail.amazonaws.com" }
-        Action    = "s3:GetBucketAcl"
-        Resource  = aws_s3_bucket.cloudtrail.arn
-        Condition = {
-          StringEquals = {
-            "aws:SourceArn" = "arn:aws:cloudtrail:${var.region}:${var.aws_account_id}:trail/${var.project}-trail"
-          }
-        }
-      },
-      {
-        Sid       = "AWSCloudTrailWrite"
-        Effect    = "Allow"
-        Principal = { Service = "cloudtrail.amazonaws.com" }
-        Action    = "s3:PutObject"
-        Resource  = "${aws_s3_bucket.cloudtrail.arn}/AWSLogs/${var.aws_account_id}/*"
-        Condition = {
-          StringEquals = {
-            "s3:x-amz-acl"  = "bucket-owner-full-control"
-            "aws:SourceArn" = "arn:aws:cloudtrail:${var.region}:${var.aws_account_id}:trail/${var.project}-trail"
-          }
-        }
-      }
-    ]
-  })
-}
-
-resource "aws_cloudtrail" "main" {
-  name                       = "${var.project}-trail"
-  s3_bucket_name             = aws_s3_bucket.cloudtrail.id
-  is_multi_region_trail      = true
-  enable_log_file_validation = true
-
-  # Send events to EventBridge (required for our rules to fire)
-  # This is enabled by default for management events when a trail exists,
-  # but being explicit about it
-  event_selector {
-    read_write_type           = "All"
-    include_management_events = true
-  }
-
-  depends_on = [aws_s3_bucket_policy.cloudtrail]
-
-  tags = {
-    Name = "${var.project}-trail"
-  }
-}
-
 ################################################################################
 # SNS Topics for Alerts
 ################################################################################