From 2bc260f0ed40f7330ff7654cc299d3d6fd9cf70a Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Fri, 27 Mar 2026 16:35:46 +0100
Subject: [PATCH 1/2] Work around CUR 2.0 provider bug: declare
 BILLING_VIEW_ARN

AWS returns BILLING_VIEW_ARN in the CreateExport response even when not
set, causing "inconsistent result after apply". Declaring it as empty
string prevents the drift.

Ref: github.com/hashicorp/terraform-provider-aws/issues/42761
---
 terraform/platform/cost-analytics/main.tf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/terraform/platform/cost-analytics/main.tf b/terraform/platform/cost-analytics/main.tf
index 993faba..c194cb1 100644
--- a/terraform/platform/cost-analytics/main.tf
+++ b/terraform/platform/cost-analytics/main.tf
@@ -164,6 +164,9 @@ resource "aws_bcmdataexports_export" "cur" {
           INCLUDE_RESOURCES                     = "TRUE"
           INCLUDE_MANUAL_DISCOUNT_COMPATIBILITY = "FALSE"
           INCLUDE_SPLIT_COST_ALLOCATION_DATA    = "FALSE"
+          # AWS returns this in response even when unset — must declare to
+          # avoid "inconsistent result after apply" provider bug (issue #42761)
+          BILLING_VIEW_ARN = ""
         }
       }
     }

From e2dbfc487cc5b005a1ed075ed626fb545edf7215 Mon Sep 17 00:00:00 2001
From: Alexander Amiri <alexander.amiri@piano.io>
Date: Fri, 27 Mar 2026 16:50:26 +0100
Subject: [PATCH 2/2] Fix CUR 2.0: BILLING_VIEW_ARN workaround + BCM read
 permissions

- Set BILLING_VIEW_ARN to match AWS response value (provider bug #42761)
- Add bcm-data-exports:Get*/List* to CI plan role (not in ReadOnlyAccess)
- IAM policy already applied manually to unblock CI
---
 terraform/platform/cost-analytics/main.tf |  2 +-
 terraform/platform/iam/main.tf            | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/terraform/platform/cost-analytics/main.tf b/terraform/platform/cost-analytics/main.tf
index c194cb1..605b7b8 100644
--- a/terraform/platform/cost-analytics/main.tf
+++ b/terraform/platform/cost-analytics/main.tf
@@ -166,7 +166,7 @@ resource "aws_bcmdataexports_export" "cur" {
           INCLUDE_SPLIT_COST_ALLOCATION_DATA    = "FALSE"
           # AWS returns this in response even when unset — must declare to
           # avoid "inconsistent result after apply" provider bug (issue #42761)
-          BILLING_VIEW_ARN = ""
+          BILLING_VIEW_ARN = "arn:aws:billing::${var.aws_account_id}:billingview/primary"
         }
       }
     }
diff --git a/terraform/platform/iam/main.tf b/terraform/platform/iam/main.tf
index cdca0db..1cbf57f 100644
--- a/terraform/platform/iam/main.tf
+++ b/terraform/platform/iam/main.tf
@@ -132,6 +132,16 @@ resource "aws_iam_role_policy" "ci_infra_plan_extras" {
         Action   = "pricing:GetProducts"
         Resource = "*"
       },
+      {
+        # BCM Data Exports (CUR 2.0) — not in ReadOnlyAccess managed policy
+        Sid    = "BCMDataExportsRead"
+        Effect = "Allow"
+        Action = [
+          "bcm-data-exports:Get*",
+          "bcm-data-exports:List*",
+        ]
+        Resource = "*"
+      },
     ]
   })
 }