decom App Runner

Author: sorah

tf/apprunner.tf

@@ -64,26 +64,6 @@ resource "aws_cloudfront_distribution" "main" {
     }
   }
 
-  origin {
-    origin_id           = "apprunner"
-    domain_name         = replace(aws_apprunner_service.main[0].service_url, "https://", "")
-    origin_path         = null
-    connection_attempts = 3
-    connection_timeout  = 10
-    custom_header {
-      name  = "x-forwarded-host"
-      value = var.app_domain
-    }
-    custom_origin_config {
-      http_port                = 80
-      https_port               = 443
-      origin_read_timeout      = 30
-      origin_keepalive_timeout = 5
-      origin_protocol_policy   = "https-only"
-      origin_ssl_protocols     = ["TLSv1.2"]
-    }
-  }
-
   ordered_cache_behavior {
     target_origin_id = "functionurl"
     path_pattern     = "/vite/*"

tf/cloudfront.tf

@@ -78,31 +78,6 @@ data "aws_iam_policy_document" "GhaSponsorDeploy" {
     resources = ["arn:aws:ecs:us-west-2:${data.aws_caller_identity.current.account_id}:service/*/sponsor-*"]
   }
 
-  # AppRunner permissions (only when AppRunner is enabled)
-  dynamic "statement" {
-    for_each = var.enable_app ? [1] : []
-    content {
-      effect = "Allow"
-      actions = [
-        "apprunner:DescribeService",
-        "apprunner:UpdateService",
-        "apprunner:ListOperations",
-        "apprunner:ListTagsForResource",
-      ]
-      resources = [
-        aws_apprunner_service.main[0].arn,
-      ]
-    }
-  }
-
-  statement {
-    effect = "Allow"
-    actions = [
-      "apprunner:ListServices",
-    ]
-    resources = ["*"]
-  }
-
   statement {
     effect = "Allow"
     actions = [
@@ -117,13 +92,10 @@ data "aws_iam_policy_document" "GhaSponsorDeploy" {
     actions = [
       "iam:PassRole",
     ]
-    resources = concat(
-      [
-        aws_iam_role.SponsorApp.arn,
-        "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/EcsExecSponsorApp",
-      ],
-      var.enable_app ? [aws_iam_role.app-runner-access[0].arn] : []
-    )
+    resources = [
+      aws_iam_role.SponsorApp.arn,
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/EcsExecSponsorApp",
+    ]
   }
 
   statement {
@@ -165,10 +137,7 @@ data "aws_iam_policy_document" "GhaSponsorDeploy" {
       "iam:ListRolePolicies",
       "iam:ListAttachedRolePolicies",
     ]
-    resources = concat(
-      [aws_iam_role.SponsorApp.arn],
-      var.enable_app ? [aws_iam_role.app-runner-access[0].arn] : []
-    )
+    resources = [aws_iam_role.SponsorApp.arn]
   }
 
   statement {

tf/iam_GhaSponsorDeploy.tf

@@ -6,15 +6,14 @@ resource "aws_iam_role" "SponsorApp" {
 }
 
 data "aws_iam_policy_document" "SponsorApp-trust" {
-  # Service principal trust for AppRunner, ECS, and Lambda (always enabled)
+  # Service principal trust for ECS and Lambda (always enabled)
   statement {
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
     principals {
       type = "Service"
       identifiers = [
         "ecs-tasks.amazonaws.com",
-        "tasks.apprunner.amazonaws.com",
         "lambda.amazonaws.com",
       ]
     }

tf/iam_SponsorApp.tf

@@ -44,11 +44,11 @@ resource "aws_lambda_function" "app" {
     Environment = var.environment
   }
 
-  #lifecycle {
-  #  ignore_changes = [
-  #    image_uri,
-  #  ]
-  #}
+  lifecycle {
+    ignore_changes = [
+      image_uri,
+    ]
+  }
 }
 
 resource "aws_lambda_event_source_mapping" "lambdakiq" {
@@ -60,3 +60,8 @@ resource "aws_lambda_event_source_mapping" "lambdakiq" {
 
   function_response_types = ["ReportBatchItemFailures"]
 }
+
+output "lambda_env" {
+  value = merge(local.environments, {
+  })
+}

tf/lambda.tf

@@ -37,8 +37,3 @@ output "sqs_queue_url" {
   value       = var.enable_sqs ? aws_sqs_queue.activejob[0].url : null
   description = "SQS queue URL for ActiveJob"
 }
-
-output "apprunner_service_url" {
-  value       = var.enable_app ? aws_apprunner_service.main[0].service_url : null
-  description = "App Runner service URL"
-}

tf/outputs.tf

@@ -8,11 +8,6 @@ variable "name" {
   description = "Short environment name (prd, dev)"
 }
 
-variable "service_name" {
-  type        = string
-  description = "Name for AppRunner service and tags"
-}
-
 variable "sqs_name_suffix" {
   type        = string
   description = "Suffix for SQS queue names (prd, dev)"
@@ -23,11 +18,6 @@ variable "iam_role_prefix" {
   description = "PascalCase prefix for IAM role names (e.g., SponsorAppDev, SponsorApp)"
 }
 
-variable "iam_apprunner_access_name" {
-  type        = string
-  description = "Name for AppRunner ECR access IAM role"
-}
-
 variable "enable_shared_resources" {
   type        = bool
   description = "Enable shared resources (ECR, CloudWatch, EcsExec, GhaDeploy) - only true for prd"