Fix CUR 2.0: BILLING_VIEW_ARN + BCM read permissions

[Alexanderamiri]

Summary

• BILLING_VIEW_ARN: set to actual AWS value to prevent provider drift bug (#42761)
• bcm-data-exports:Get*/List*: added to CI plan role (not in ReadOnlyAccess managed policy)
• IAM policy already applied manually to unblock CI

Plan verified locally — 1 add (CUR recreate from taint), 1 change (resource_tagger code), 1 destroy (tainted CUR).

Test plan

• terraform plan passes locally with --profile javabin
• CI plan passes
• Apply recreates CUR export successfully

[github-actions]

Terraform Plan

🚧 Changes detected — Plan: 1 to add, 0 to change, 1 to destroy.

Plan output

Acquiring state lock. This may take a few moments...

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.cost_analytics.aws_bcmdataexports_export.cur is tainted, so must be replaced
-/+ resource "aws_bcmdataexports_export" "cur" {
      ~ id       = "arn:aws:bcm-data-exports:us-east-1:553637109631:export/javabin-cur-b0b1f0ef-861d-40a0-b7ba-b37de8344576" -> (known after apply)
        # (1 unchanged attribute hidden)

      ~ export {
          ~ export_arn = "arn:aws:bcm-data-exports:us-east-1:553637109631:export/javabin-cur-b0b1f0ef-861d-40a0-b7ba-b37de8344576" -> (known after apply)
            name       = "javabin-cur"

            # (3 unchanged blocks hidden)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "tfplan"

---

LLM Review

Risk: 🟢 LOW

Terraform plan replaces a tainted AWS BCM Data Exports resource for cost analytics with no impact to production infrastructure.

• ✅ [routine] BCM Data Exports resource (aws_bcmdataexports_export.cur) is being replaced due to taint. This is a cost analytics data export configuration that will be recreated with the same settings.
• ✅ [routine] No production infrastructure changes: all Lambda functions, ECS clusters, networking, IAM roles, and security groups remain unchanged.
• ✅ [routine] No data loss or service disruption: the replacement is for a data export configuration, not a database or critical service.
• 💰 [cost] Minimal cost impact: BCM Data Exports is a low-cost service. Brief interruption in cost data export during replacement is expected.
• ✅ [routine] No security changes: no IAM permissions, security groups, or access controls are being modified.