cisco-open · edersonbrilhante · Jun 5, 2026 · Jun 5, 2026 · Jun 5, 2026
diff --git a/modules/core/arc/README.md b/modules/core/arc/README.md
@@ -44,7 +44,7 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_aws_profile"></a> [aws\_profile](#input\_aws\_profile) | AWS profile (i.e. generated via 'sl aws session generate') to use. | `string` | n/a | yes |
+| <a name="input_aws_profile"></a> [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | Assuming single region for now. | `string` | n/a | yes |
 | <a name="input_controller_config"></a> [controller\_config](#input\_controller\_config) | controller\_config = {<br/>      release\_name: "Name of the Helm release."<br/>      namespace: "Namespace for chart installation."<br/>      chart\_name: "Chart name for the Helm chart."<br/>      chart\_version: "Chart version for the Helm chart."<br/>      name: "Name of the controller."<br/>    } | <pre>object({<br/>    release_name  = string<br/>    namespace     = string<br/>    chart_name    = string<br/>    chart_version = string<br/>    name          = string<br/>  })</pre> | n/a | yes |
 | <a name="input_eks_cluster_name"></a> [eks\_cluster\_name](#input\_eks\_cluster\_name) | Name of the EKS cluster | `string` | n/a | yes |

diff --git a/modules/core/arc/variables.tf b/modules/core/arc/variables.tf
@@ -1,6 +1,6 @@
 variable "aws_profile" {
   type        = string
-  description = "AWS profile (i.e. generated via 'sl aws session generate') to use."
+  description = "AWS profile to use."
 }
 
 variable "aws_region" {

diff --git a/modules/integrations/splunk_cloud_conf_shared/README.md b/modules/integrations/splunk_cloud_conf_shared/README.md
@@ -2,17 +2,17 @@
 ## Requirements
 
 | Name | Version |
-|------|---------|
+| ---- | ------- |
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.11 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.47 |
 | <a name="requirement_splunk"></a> [splunk](#requirement\_splunk) | >= 1.4.30 |
 
 ## Providers
 
 | Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.35.1 |
-| <a name="provider_splunk"></a> [splunk](#provider\_splunk) | 1.4.34 |
+| ---- | ------- |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.47.0 |
+| <a name="provider_splunk"></a> [splunk](#provider\_splunk) | 1.5.1 |
 
 ## Modules
 
@@ -21,7 +21,7 @@ No modules.
 ## Resources
 
 | Name | Type |
-|------|------|
+| ---- | ---- |
 | [splunk_configs_conf.forgecicd_aws_billing_cur](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource |
 | [splunk_configs_conf.forgecicd_billing_cur_instance_id](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource |
 | [splunk_configs_conf.forgecicd_billing_cur_volume_id](https://registry.terraform.io/providers/splunk/splunk/latest/docs/resources/configs_conf) | resource |
@@ -72,7 +72,7 @@ No modules.
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
+| ---- | ----------- | ---- | ------- | :------: |
 | <a name="input_aws_profile"></a> [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | Assuming single region for now. | `string` | n/a | yes |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of tags to apply to resources. | `map(string)` | n/a | yes |

diff --git a/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf b/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf
@@ -63,6 +63,8 @@ resource "splunk_configs_conf" "forgecicd_cloudwatchlogs" {
   depends_on = [
     splunk_configs_conf.forgecicd_cloudwatchlogs_lambda_tenant_fields,
     splunk_configs_conf.forgecicd_cloudwatchlogs_global_lambda_tenant_fields,
-    splunk_configs_conf.forgecicd_extra_lambda_tenant_fields
+    splunk_configs_conf.forgecicd_extra_lambda_tenant_fields,
+    splunk_configs_conf.forgecicd_extra_lambda_ec2_tenant_fields,
+    splunk_configs_conf.forgecicd_trust_validation
   ]
 }
diff --git a/...grations/splunk_cloud_conf_shared/template_files/trust_relationship_validation.json.tftpl b/...grations/splunk_cloud_conf_shared/template_files/trust_relationship_validation.json.tftpl
@@ -68,7 +68,7 @@
             "name": "Trust relationship validation",
             "options": {
                 "enableSmartSources": true,
-                "query": "index=\"${splunk_index}\" forgecicd_tenant=\"$dd_8enHUmpH$\" forgecicd_log_type=\"forge-trust-validator\" \"Validation complete\"\n| eventstats max(_time) as tenant_last_seen by forgecicd_tenant\n| where _time=tenant_last_seen\n\n| mvexpand forgecicd_trust_validation\n| eval trust_json=tostring(forgecicd_trust_validation)\n| spath input=trust_json path={} output=item\n| mvexpand item\n| spath input=item path=forge_role_arn output=forge_role\n| spath input=item path=tenant_results{} output=tenant_results\n| mvexpand tenant_results\n| spath input=tenant_results\n\n| eval assume_status=if(tostring(assume_role_success)==\"true\",\"assumed\",\"not assumed\")\n| eval tag_status=if(tostring(tag_session_success)==\"true\",\"session tagged\",\"session not tagged\")\n\n| table forgecicd_tenant forge_role tenant_role_arn assume_status assume_role_error tag_status tag_session_error\n| sort forge_role tenant_role_arn",
+                "query": "index=\"${splunk_index}\" forgecicd_tenant=\"$dd_8enHUmpH$\" forgecicd_log_type=\"forge-trust-validator\" \"Delayed validation run complete\"\n| eventstats max(_time) as tenant_last_seen by forgecicd_tenant\n| where _time=tenant_last_seen\n\n| eval trust_json=tostring(mvindex(forgecicd_trust_validation, 0))\n| spath input=trust_json path=validation_results{} output=item\n| mvexpand item\n| spath input=item path=forge_role_arn output=forge_role\n| spath input=item path=tenant_results{} output=tenant_results\n| mvexpand tenant_results\n| spath input=tenant_results\n\n| eval assume_status=if(tostring(assume_role_success)==\"true\",\"assumed\",\"not assumed\")\n| eval tag_status=if(tostring(tag_session_success)==\"true\",\"session tagged\",\"session not tagged\")\n\n| table forgecicd_tenant forge_role tenant_role_arn assume_status assume_role_error tag_status tag_session_error\n| sort forge_role tenant_role_arn",
                 "queryParameters": {
                     "earliest": "$global_time.earliest$",
                     "latest": "$global_time.latest$"

diff --git a/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf b/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf
@@ -2,7 +2,7 @@ resource "splunk_configs_conf" "forgecicd_extra_lambda_tenant_fields" {
   name = "transforms/forgecicd_extra_lambda_tenant_fields"
 
   variables = {
-    "REGEX"      = "(?<aws_region>[^:]+):\\/aws\\/lambda\\/(?<forgecicd_tenant>[a-z0-9]+)-(?<forgecicd_region_alias>[a-z0-9]+)-(?<forgecicd_vpc_alias>[a-z0-9]+)-(?<forgecicd_log_type>register-github-app-runner-group|github-webhook-relay|clean-global-lock|job-log-archiver|job-log-dispatcher|forge-trust-validator|redrive-deadletter)"
+    "REGEX"      = "(?<aws_region>[^:]+):\\/aws\\/lambda\\/(?<forgecicd_tenant>[a-z0-9]+)-(?<forgecicd_region_alias>[a-z0-9]+)-(?<forgecicd_vpc_alias>[a-z0-9]+)-(?<forgecicd_log_type>register-github-app-runner-group|github-webhook-relay|clean-global-lock|job-log-archiver|job-log-dispatcher|forge-trust-validator(?:-prepare)?|redrive-deadletter)"
     "FORMAT"     = "aws_region::$1 forgecicd_tenant::$2 forgecicd_region_alias::$3 forgecicd_vpc_alias::$4 forgecicd_log_type::$5"
     "SOURCE_KEY" = "source"
     "CLEAN_KEYS" = "0"
@@ -66,7 +66,7 @@ resource "splunk_configs_conf" "forgecicd_trust_validation" {
   name = "transforms/forgecicd_trust_validation"
 
   variables = {
-    REGEX      = "Validation complete:\\s*(\\[[^\\r\\n]+])"
+    REGEX      = "Delayed validation run complete:\\s*(\\{[^\\r\\n]+})"
     FORMAT     = "forgecicd_trust_validation::$1"
     SOURCE_KEY = "_raw"
     CLEAN_KEYS = "0"

diff --git a/modules/platform/arc_deployment/README.md b/modules/platform/arc_deployment/README.md
@@ -23,7 +23,7 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_aws_profile"></a> [aws\_profile](#input\_aws\_profile) | AWS profile (i.e. generated via 'sl aws session generate') to use. | `string` | n/a | yes |
+| <a name="input_aws_profile"></a> [aws\_profile](#input\_aws\_profile) | AWS profile to use. | `string` | n/a | yes |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | Assuming single region for now. | `string` | n/a | yes |
 | <a name="input_runner_configs"></a> [runner\_configs](#input\_runner\_configs) | n/a | <pre>object({<br/>    prefix           = string<br/>    arc_cluster_name = string<br/>    ghes_url         = string<br/>    ghes_org         = string<br/>    github_app = object({<br/>      key_base64      = string<br/>      id              = string<br/>      installation_id = string<br/>    })<br/>    migrate_arc_cluster                 = optional(bool, false)<br/>    runner_iam_role_managed_policy_arns = list(string)<br/>    runner_group_name                   = string<br/>    runner_specs = map(object({<br/>      runner_size = object({<br/>        max_runners = number<br/>        min_runners = number<br/>      })<br/>      scale_set_name               = string<br/>      scale_set_type               = string<br/>      scale_set_labels             = list(string)<br/>      container_actions_runner     = string<br/>      container_limits_cpu         = string<br/>      container_limits_memory      = string<br/>      volume_requests_storage_size = string<br/>      volume_requests_storage_type = string<br/>      container_requests_cpu       = string<br/>      container_requests_memory    = string<br/>    }))<br/>  })</pre> | n/a | yes |
 | <a name="input_tenant_configs"></a> [tenant\_configs](#input\_tenant\_configs) | n/a | <pre>object({<br/>    ecr_registries = list(string)<br/>    tags           = map(string)<br/>    name           = string<br/>  })</pre> | n/a | yes |

diff --git a/modules/platform/arc_deployment/variables.tf b/modules/platform/arc_deployment/variables.tf
@@ -1,6 +1,6 @@
 variable "aws_profile" {
   type        = string
-  description = "AWS profile (i.e. generated via 'sl aws session generate') to use."
+  description = "AWS profile to use."
 }
 
 variable "aws_region" {

diff --git a/modules/platform/forge_runners/forge_trust_validator.tf b/modules/platform/forge_runners/forge_trust_validator.tf
@@ -6,7 +6,6 @@ module "forge_trust_validator" {
     aws = aws
   }
 
-  aws_profile               = var.aws_profile
   prefix                    = var.deployment_config.deployment_prefix
   logging_retention_in_days = var.logging_retention_in_days
   log_level                 = var.log_level
@@ -19,10 +18,6 @@ module "forge_trust_validator" {
     )) :
     idx => arn
   }
-  number_forge_iram_roles = (
-    length(var.ec2_deployment_specs.runner_specs) +
-    length(var.arc_deployment_specs.runner_specs)
-  )
 
   tenant_iam_roles = var.deployment_config.tenant.iam_roles_to_assume
 }
diff --git a/modules/platform/forge_runners/forge_trust_validator/README.md b/modules/platform/forge_runners/forge_trust_validator/README.md
@@ -2,46 +2,49 @@
 ## Requirements
 
 | Name | Version |
-|------|---------|
+| ---- | ------- |
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.11 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.25 |
-| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.47 |
 
 ## Providers
 
 | Name | Version |
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.35.1 |
-| <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
+| ---- | ------- |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.47.0 |
 
 ## Modules
 
 | Name | Source | Version |
-|------|--------|---------|
+| ---- | ------ | ------- |
+| <a name="module_forge_trust_preparer_lambda"></a> [forge\_trust\_preparer\_lambda](#module\_forge\_trust\_preparer\_lambda) | terraform-aws-modules/lambda/aws | 8.8.0 |
 | <a name="module_forge_trust_validator_lambda"></a> [forge\_trust\_validator\_lambda](#module\_forge\_trust\_validator\_lambda) | terraform-aws-modules/lambda/aws | 8.8.0 |
 
 ## Resources
 
 | Name | Type |
-|------|------|
-| [aws_cloudwatch_event_rule.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
-| [aws_cloudwatch_event_target.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| ---- | ---- |
+| [aws_cloudwatch_event_rule.forge_trust_preparer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_target.forge_trust_preparer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_cloudwatch_log_group.forge_trust_preparer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_group.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
-| [aws_lambda_permission.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
-| [null_resource.update_forge_role_trust](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [aws_iam_role_policy.forge_trust_preparer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_lambda_event_source_mapping.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_event_source_mapping) | resource |
+| [aws_lambda_permission.forge_trust_preparer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_sqs_queue.forge_trust_validator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sqs_queue) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.forge_trust_preparer_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.forge_trust_validator_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
-| [aws_iam_role.forge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| <a name="input_aws_profile"></a> [aws\_profile](#input\_aws\_profile) | AWS profile (i.e. generated via 'sl aws session generate') to use. | `string` | n/a | yes |
+| ---- | ----------- | ---- | ------- | :------: |
 | <a name="input_forge_iam_roles"></a> [forge\_iam\_roles](#input\_forge\_iam\_roles) | List of IAM role ARNs for Forge runners. | `map(string)` | n/a | yes |
+| <a name="input_iam_propagation_delay_seconds"></a> [iam\_propagation\_delay\_seconds](#input\_iam\_propagation\_delay\_seconds) | Delay between trust policy update and validation to allow IAM/STS propagation. | `number` | `300` | no |
 | <a name="input_log_level"></a> [log\_level](#input\_log\_level) | Log level for application logging (e.g., INFO, DEBUG, WARN, ERROR) | `string` | `"INFO"` | no |
 | <a name="input_logging_retention_in_days"></a> [logging\_retention\_in\_days](#input\_logging\_retention\_in\_days) | Retention in days for CloudWatch Log Group for the Lambdas. | `number` | `30` | no |
-| <a name="input_number_forge_iram_roles"></a> [number\_forge\_iram\_roles](#input\_number\_forge\_iram\_roles) | Number of Iam roles ARNs for Forge runners | `number` | n/a | yes |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | Prefix for all resources | `string` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to created resources. | `map(string)` | `{}` | no |
 | <a name="input_tenant_iam_roles"></a> [tenant\_iam\_roles](#input\_tenant\_iam\_roles) | List of IAM role ARNs that the runners will assume to test trust relationships. | `list(string)` | `[]` | no |

diff --git a/modules/platform/forge_runners/forge_trust_validator/data.tf b/modules/platform/forge_runners/forge_trust_validator/data.tf
@@ -1 +1,3 @@
+data "aws_partition" "current" {}
+
 data "aws_caller_identity" "current" {}
diff --git a/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf
Original file line number	Diff line number	Diff line change
		@@ -1 +1,3 @@
		data "aws_partition" "current" {}

		data "aws_caller_identity" "current" {}