Skip to content

fix: TAM-4047: remove static report permissions#10102

Open
rohan-bes wants to merge 4 commits into
mainfrom
fix/tam-4047-remove-static-reports
Open

fix: TAM-4047: remove static report permissions#10102
rohan-bes wants to merge 4 commits into
mainfrom
fix/tam-4047-remove-static-reports

Conversation

@rohan-bes

@rohan-bes rohan-bes commented Jun 21, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Changes

Removes the StaticReport permission noun entirely and migrates the only static report (generic-survey-export-line-list) to a proper ReportDefinition + ReportDefinitionVersion. A migration creates the DB records, inserts new ReportDefinition:run permissions for any roles that had the old StaticReport:run permission, and soft-deletes the old permissions. All static-report-specific code paths (canRunStaticReport, reportDefinitions, reportObjects, the StaticReport schema entries) are removed, and the report module/permission/availability utilities are simplified to handle only DB-defined reports.

Auto-Deploy

  • Deploy
Options
  • Artillery load test
  • Seed from closest snapshot
  • Generate fake data
  • More data (20Gi)
  • No facility servers (central-only)
  • No sync (facility tasks scaled to zero)
  • AMD64 architecture (default is arm64)
  • Skip mobile build
  • Always build mobile
  • Stay up for 8 hours
  • Stay up for 24 hours
  • Stay up (no TTL)
  • Build images only (don't deploy)
  • Pause this deploy

Tests

  • Run E2E tests
  • Run DAST scan

Review Hero

  • Run Review Hero
  • Auto-fix review suggestions Wait for Review Hero to finish, resolve any comments you disagree with or want to fix manually, then check this to auto-fix the rest.
  • Auto-fix CI failures Check this to auto-fix lint errors, test failures, and other CI issues.
  • Auto-merge upstream Check this to merge the base branch into this PR, with AI conflict resolution if needed.
  • Save suppressions Check this to capture 👎 reactions on Review Hero comments as suppression rules in .github/review-hero/suppressions.yml. Also runs automatically at the end of any auto-fix run.

Remember to...

  • ...write or update tests
  • ...add UI screenshots and testing notes to the Linear issue
  • ...add any manual upgrade steps to the Linear issue
  • ...update the config reference, settings reference, or any relevant runbook(s)
  • ...call out additions or changes to config files for the deployment team to take note of

@rohan-bes rohan-bes requested a review from a team as a code owner June 21, 2026 09:05
cursor[bot]
cursor Bot reviewed Jun 21, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 3 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Want higher recall? High effort reviews run extra passes and find more bugs. A team admin can switch effort levels in the Cursor dashboard.

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 13d8b76. Configure here.

Comment thread packages/database/src/migrations/1781200000000-convertGenericSurveyExportToReportDefinition.ts
WHERE noun = 'StaticReport'
AND verb = 'run'
AND deleted_at IS NULL
`);

@cursor cursor Bot Jun 21, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Blank StaticReport run not migrated

High Severity

The migration only creates ReportDefinition:run rows for StaticReport:run permissions whose object_id is generic-survey-export-line-list, then soft-deletes every remaining StaticReport:run grant. Roles that had a blanket StaticReport:run with no object_id (as in the prior default practitioner template) lose run access and are not given an equivalent ReportDefinition permission.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 13d8b76. Configure here.

Comment thread packages/shared/src/reports/utilities/getAvailableReports.js
...getStaticReports(ability, models),
...(await getDbReports(ability, models)),
];
const permittedReports = await getDbReports(ability, models);

@cursor cursor Bot Jun 21, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Disabled report id no longer matches

Medium Severity

disabledReports entries and run requests now use a ReportDefinitionVersion id, but localisation often still lists generic-survey-export-line-list for the generic survey export. That id no longer matches available-report entries or the reportId on run/report-request calls, so disabled-report config no longer hides or blocks that report.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 13d8b76. Configure here.

Comment thread packages/shared/src/reports/index.js
@review-hero

review-hero Bot commented Jun 21, 2026

Copy link
Copy Markdown

🦸 Review Hero (could not post inline comments — showing here instead)

packages/shared/src/reports/index.js:20

[BES Requirements] suggestion

Mutating the Sequelize model instance with reportVersion.dataGenerator = staticModule.dataGenerator is a code smell — it attaches a non-schema property to a live ORM object. Downstream code that receives reportVersion as a parameter can't easily tell it's been augmented, and Sequelize's changed() / dirty-checking won't affect it, but any future call like reportVersion.save() or reportVersion.toJSON() will silently omit dataGenerator. Consider returning a thin wrapper { ...reportVersion.get(), dataGenerator: staticModule.dataGenerator, getReportDefinition: () => reportVersion.getReportDefinition(), reportDefinitionId: reportVersion.reportDefinitionId } or a dedicated class instead of mutating the instance.

packages/database/src/migrations/1781200000000-convertGenericSurveyExportToReportDefinition.ts:53

[Design & Architecture] suggestion

(SELECT id FROM users ORDER BY created_at ASC LIMIT 1) returns NULL when no users exist (e.g. fresh installs or bare test databases), which will violate the allowNull: false constraint on report_definition_versions.user_id and cause the migration to fail. The WHERE NOT EXISTS guard on the outer SELECT doesn't protect against this — if the subquery returns nothing the whole INSERT simply inserts a row with NULL user_id. Consider making user_id nullable for this record, or wrapping the insert in a guard like AND EXISTS (SELECT 1 FROM users), and documenting that a system-seeded user is required before this migration runs.

packages/facility-server/__tests__/apiv1/ReportRequest.test.js:17

[Integration tests] critical

This test passes GENERIC_SURVEY_EXPORT_REPORT_ID ('generic-survey-export-line-list') as the reportId. After this PR, getReportModule calls ReportDefinitionVersion.findByPk(reportId), which returns null for a ReportDefinition ID (not a version UUID), so the endpoint throws NotFoundError (404) rather than ForbiddenError (403). The toBeForbidden() assertion will fail. The test needs to resolve the version UUID first (same pattern used in reportsApiCommon.js lines 71–74) and pass that instead. The ReportRequest.test.js file was not updated alongside Reports.test.js and reportsApiCommon.js.

packages/facility-server/__tests__/apiv1/ReportRequest.test.js:45

[Integration tests] critical

The 'should create a new report request' test passes GENERIC_SURVEY_EXPORT_REPORT_ID as reportId to POST /api/reportRequest. After this PR, reportRequest.js always sets reportDefinitionVersionId: reportId (removing the old reportType branch), and getReportModule requires a ReportDefinitionVersion UUID. Passing the ReportDefinition ID returns null → 404. Additionally, line 53 asserts toHaveProperty('reportType', GENERIC_SURVEY_EXPORT_REPORT_ID) but reportType is no longer populated — it would be reportDefinitionVersionId. Both the reportId passed in and the response field checked need updating to use the version UUID (as done in the reportsApiCommon.js update in this PR).

packages/database/src/migrations/1781200000000-convertGenericSurveyExportToReportDefinition.ts:126

[Security] suggestion

The down() function restores ALL soft-deleted StaticReport:run permissions unconditionally (WHERE noun = 'StaticReport' AND verb = 'run'), not just the ones this migration soft-deleted. If any StaticReport:run permissions were intentionally revoked by an admin before this migration ran, rolling back would silently re-grant them. The comment marks this as DESTRUCTIVE for data loss, but the access-elevation risk is worth calling out explicitly. Consider storing the IDs of permissions soft-deleted by up() (e.g. in a temporary side-table or by marking updated_at_sync_tick) so down() can restore only those rows.

@review-hero

review-hero Bot commented Jun 21, 2026

Copy link
Copy Markdown

🦸 Review Hero Summary
18 agents reviewed this PR | 2 critical | 3 suggestions | 1 nitpick | Filtering: consensus 3 voters, 8 below threshold, 1 suppressed

Below consensus threshold (8 unique issues not confirmed by majority)
Location Agent Severity Comment
packages/central-server/app/subCommands/report.js:16 Design & Architecture suggestion The CLI --reportId parameter previously accepted the human-readable definition ID (generic-survey-export-line-list). After this migration it requires a ReportDefinitionVersion UUID, which dif...
packages/database/src/migrations/1781200000000-convertGenericSurveyExportToReportDefinition.ts:43 Bugs & Correctness suggestion Both the report_definitions INSERT and the report_definition_versions INSERT set updated_at_sync_tick = 0. The coding rules say never to modify updated_at_sync_tick manually. Records with tick 0 ma...
packages/database/src/migrations/1781200000000-convertGenericSurveyExportToReportDefinition.ts:72 Security suggestion The generated permission id is LOWER(role_id || '-run-ReportDefinition-' || :id). If any existing role_id is long, the concatenated string may silently exceed the column's character limit and be tr...
packages/database/src/migrations/1781200000000-convertGenericSurveyExportToReportDefinition.ts:96 Bugs & Correctness suggestion The UP function soft-deletes ALL StaticReport:run permissions (any object_id), but only creates a ReportDefinition:run replacement for generic-survey-export-line-list. If any other StaticReport:run...
packages/database/src/migrations/1781200000000-convertGenericSurveyExportToReportDefinition.ts:133 BES Requirements suggestion The down() function hard-deletes rows from report_definitions and report_definition_versions with DELETE. These tables have updated_at_sync_tick columns, so the records inserted by up()...
packages/database/src/migrations/1781200000000-convertGenericSurveyExportToReportDefinition.ts:133 Design & Architecture suggestion The down migration deletes ALL report_definition_versions for this definition (WHERE report_definition_id = :id), not just the single row inserted by up. If any additional version was creat...
packages/shared/src/reports/index.js:12 Performance suggestion getReportModule fetches ReportDefinitionVersion with findByPk, then checkReportModulePermissions always calls reportModule.getReportDefinition() which is a second sequential DB query on every repor...
packages/shared/src/roles.js:232 BES Requirements nitpick Hardcoded string 'generic-survey-export-line-list' should use the GENERIC_SURVEY_EXPORT_REPORT_ID constant from @tamanu/constants. The constant already exists and is used everywhere else in t...

Nitpicks

File Line Agent Comment
packages/facility-server/__tests__/apiv1/reportsApiCommon.js 71 BES Requirements version.id is accessed without a null guard. If findOne returns null (e.g. the migration has not been applied in the test DB), this throws a confusing TypeError rather than a clear test failure. Add: if (!version) throw new Error('ReportDefinitionVersion for GENERIC_SURVEY_EXPORT_REPORT_ID not fo...
Local fix prompt (copy to your coding agent)

Fix these issues identified on the pull request. One commit per issue fixed.

packages/shared/src/reports/index.js:20: Mutating the Sequelize model instance with reportVersion.dataGenerator = staticModule.dataGenerator is a code smell — it attaches a non-schema property to a live ORM object. Downstream code that receives reportVersion as a parameter can't easily tell it's been augmented, and Sequelize's changed() / dirty-checking won't affect it, but any future call like reportVersion.save() or reportVersion.toJSON() will silently omit dataGenerator. Consider returning a thin wrapper { ...reportVersion.get(), dataGenerator: staticModule.dataGenerator, getReportDefinition: () => reportVersion.getReportDefinition(), reportDefinitionId: reportVersion.reportDefinitionId } or a dedicated class instead of mutating the instance.

packages/facility-server/__tests__/apiv1/reportsApiCommon.js:71: version.id is accessed without a null guard. If findOne returns null (e.g. the migration has not been applied in the test DB), this throws a confusing TypeError rather than a clear test failure. Add: if (!version) throw new Error('ReportDefinitionVersion for GENERIC_SURVEY_EXPORT_REPORT_ID not found — has the migration been run?'); The same pattern appears in Reports.test.js and generic-survey-export-line-list.test.js.

packages/database/src/migrations/1781200000000-convertGenericSurveyExportToReportDefinition.ts:53: (SELECT id FROM users ORDER BY created_at ASC LIMIT 1) returns NULL when no users exist (e.g. fresh installs or bare test databases), which will violate the allowNull: false constraint on report_definition_versions.user_id and cause the migration to fail. The WHERE NOT EXISTS guard on the outer SELECT doesn't protect against this — if the subquery returns nothing the whole INSERT simply inserts a row with NULL user_id. Consider making user_id nullable for this record, or wrapping the insert in a guard like AND EXISTS (SELECT 1 FROM users), and documenting that a system-seeded user is required before this migration runs.

packages/facility-server/__tests__/apiv1/ReportRequest.test.js:17: This test passes GENERIC_SURVEY_EXPORT_REPORT_ID ('generic-survey-export-line-list') as the reportId. After this PR, getReportModule calls ReportDefinitionVersion.findByPk(reportId), which returns null for a ReportDefinition ID (not a version UUID), so the endpoint throws NotFoundError (404) rather than ForbiddenError (403). The toBeForbidden() assertion will fail. The test needs to resolve the version UUID first (same pattern used in reportsApiCommon.js lines 71–74) and pass that instead. The ReportRequest.test.js file was not updated alongside Reports.test.js and reportsApiCommon.js.

packages/facility-server/__tests__/apiv1/ReportRequest.test.js:45: The 'should create a new report request' test passes GENERIC_SURVEY_EXPORT_REPORT_ID as reportId to POST /api/reportRequest. After this PR, reportRequest.js always sets reportDefinitionVersionId: reportId (removing the old reportType branch), and getReportModule requires a ReportDefinitionVersion UUID. Passing the ReportDefinition ID returns null → 404. Additionally, line 53 asserts toHaveProperty('reportType', GENERIC_SURVEY_EXPORT_REPORT_ID) but reportType is no longer populated — it would be reportDefinitionVersionId. Both the reportId passed in and the response field checked need updating to use the version UUID (as done in the reportsApiCommon.js update in this PR).

packages/database/src/migrations/1781200000000-convertGenericSurveyExportToReportDefinition.ts:126: The down() function restores ALL soft-deleted StaticReport:run permissions unconditionally (WHERE noun = 'StaticReport' AND verb = 'run'), not just the ones this migration soft-deleted. If any StaticReport:run permissions were intentionally revoked by an admin before this migration ran, rolling back would silently re-grant them. The comment marks this as DESTRUCTIVE for data loss, but the access-elevation risk is worth calling out explicitly. Consider storing the IDs of permissions soft-deleted by up() (e.g. in a temporary side-table or by marking updated_at_sync_tick) so down() can restore only those rows.

@github-actions

github-actions Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Android builds 📱

@github-actions

github-actions Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

🍹 up on tamanu-on-k8s/bes/tamanu-on-k8s/fix-tam-4047-remove-static-reports

Pulumi report 
   Updating (fix-tam-4047-remove-static-reports)

View Live: https://app.pulumi.com/bes/tamanu-on-k8s/fix-tam-4047-remove-static-reports/updates/3

Downloading plugin random-4.19.0: starting
Downloading plugin random-4.19.0: done
Installing plugin random-4.19.0: starting
Installing plugin random-4.19.0: done

@ Updating....
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running 
@ Updating....
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running read pulumi:pulumi:StackReference bes/k8s-core/tamanu-internal-main
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running read pulumi:pulumi:StackReference bes/k8s-core/tamanu-internal-main
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running read pulumi:pulumi:StackReference bes/core/tamanu-internal
@ Updating....
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running read kubernetes:core/v1:Namespace tamanu-fix-tam-4047-remove-static-reports
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running read pulumi:pulumi:StackReference bes/core/tamanu-internal
@ Updating......
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running read kubernetes:core/v1:Namespace tamanu-fix-tam-4047-remove-static-reports
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Waiting for central-db...
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Waiting for facility-1-db...
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Waiting for facility-2-db...
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running read kubernetes:core/v1:ConfigMap actual-provisioning
~  kubernetes:apps/v1:Deployment facility-2-web updating (0s) [diff: ~spec]
~  kubernetes:apps/v1:Deployment central-web updating (0s) [diff: ~spec]
~  kubernetes:apps/v1:Deployment patient-portal-web updating (0s) [diff: ~spec]
~  kubernetes:core/v1:Service central-db-tailscale updating (0s) [diff: ~metadata]
~  kubernetes:apps/v1:Deployment facility-1-web updating (0s) [diff: ~spec]
@ Updating....
~  kubernetes:batch/v1:CronJob ttl-hibernate updating (0s) [diff: ~spec]
+  kubernetes:batch/v1:Job ttl-wake-1782468440 creating (0s) 
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running read kubernetes:core/v1:ConfigMap actual-provisioning
+  kubernetes:batch/v1:Job ttl-wake-1782468440 creating (0s) 
@ Updating....
~  kubernetes:batch/v1:CronJob ttl-hibernate updating (1s) [diff: ~spec]; 
~  kubernetes:batch/v1:CronJob ttl-hibernate updated (1s) [diff: ~spec]; 
+  kubernetes:batch/v1:Job ttl-wake-1782468440 creating (1s) Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/ttl-wake-1782468440-e2ed352c" to start
+  kubernetes:batch/v1:Job ttl-wake-1782468440 creating (1s) Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/ttl-wake-1782468440-e2ed352c" to succeed (Active: 1 | Succeeded: 0 | Failed: 0)
@ Updating....
~  kubernetes:core/v1:Service central-db-tailscale updating (2s) [diff: ~metadata]; [1/3] Finding Pods to direct traffic to
~  kubernetes:apps/v1:Deployment facility-1-web updating (3s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
@ Updating....
~  kubernetes:apps/v1:Deployment patient-portal-web updating (3s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
~  kubernetes:apps/v1:Deployment central-web updating (3s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
~  kubernetes:apps/v1:Deployment facility-2-web updating (3s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
@ Updating.......
+  kubernetes:batch/v1:Job ttl-wake-1782468440 creating (7s) warning: [Pod tamanu-fix-tam-4047-remove-static-reports/ttl-wake-1782468440-e2ed352c-s7t78]: Container "wake-cnpg" completed with exit code 0
@ Updating....
+  kubernetes:batch/v1:Job ttl-wake-1782468440 creating (8s) Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/ttl-wake-1782468440-e2ed352c" to succeed (Active: 0 | Succeeded: 0 | Failed: 0)
+  kubernetes:batch/v1:Job ttl-wake-1782468440 creating (8s) Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/ttl-wake-1782468440-e2ed352c" to succeed (Active: 0 | Succeeded: 1 | Failed: 0)
+  kubernetes:batch/v1:Job ttl-wake-1782468440 creating (8s) 
+  kubernetes:batch/v1:Job ttl-wake-1782468440 created (8s) 
@ Updating.......
~  kubernetes:core/v1:Service central-db-tailscale updating (12s) [diff: ~metadata]; Service initialization complete
~  kubernetes:core/v1:Service central-db-tailscale updating (12s) [diff: ~metadata]; 
~  kubernetes:core/v1:Service central-db-tailscale updated (12s) [diff: ~metadata]; 
~  kubernetes:apps/v1:Deployment facility-1-web updating (13s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/facility-1-web-e2c3905d-66d9b5899d-g969n]: containers with unready status: [http]
@ Updating....
~  kubernetes:apps/v1:Deployment patient-portal-web updating (13s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/patient-portal-web-3ca6db4c-567d6469c-r9xdj]: containers with unready status: [http]
~  kubernetes:apps/v1:Deployment central-web updating (13s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/central-web-9507928a-7b455bc5d4-27g4c]: containers with unready status: [http]
~  kubernetes:apps/v1:Deployment facility-2-web updating (13s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/facility-2-web-e7c15713-568b7b8cb9-jlmrs]: containers with unready status: [http]
@ Updating......
~  kubernetes:apps/v1:Deployment central-web updating (16s) [diff: ~spec]; Waiting for app ReplicaSet to be available (1/2 Pods available)
~  kubernetes:apps/v1:Deployment facility-1-web updating (16s) [diff: ~spec]; Waiting for app ReplicaSet to be available (1/2 Pods available)
~  kubernetes:apps/v1:Deployment facility-2-web updating (16s) [diff: ~spec]; Waiting for app ReplicaSet to be available (1/2 Pods available)
~  kubernetes:apps/v1:Deployment patient-portal-web updating (17s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment patient-portal-web updating (17s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment patient-portal-web updated (17s) [diff: ~spec]; 
@ Updating.......
++ kubernetes:batch/v1:Job facility-2-migrator creating replacement (0s) [diff: ~spec]
++ kubernetes:batch/v1:Job facility-2-migrator creating replacement (0s) [diff: ~spec]; 
++ kubernetes:batch/v1:Job facility-2-migrator creating replacement (0s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/facility-2-migrator-124164b3" to start
@ Updating....
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Secret facility-2-db-superuser not found or not ready: Error: HTTP-Code: 404
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Message: Unknown API Status Code!
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Body: "{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"secrets \\\"facility-2-db-superuser\\\" not found\",\"reason\":\"NotFound\",\"details\":{\"name\":\"facility-2-db-superuser\",\"kind\":\"secrets\"},\"code\":404}
"
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Headers: {"audit-id":"3e6dd89a-549b-4163-a369-c08729261b76","cache-control":"no-cache, private","connection":"close","content-length":"220","content-type":"application/json","date":"Fri, 26 Jun 2026 06:07:44 GMT","x-kubernetes-pf-flowschema-uid":"3fb296fc-e46b-45d1-9306-057e37ddd229","x-kubernetes-pf-prioritylevel-uid":"feccf24d-a074-4fa8-aa6f-db82477fc2f5"}
++ kubernetes:batch/v1:Job facility-2-migrator creating replacement (0s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/facility-2-migrator-124164b3" to succeed (Active: 1 | Succeeded: 0 | Failed: 0)
@ Updating....
++ kubernetes:batch/v1:Job facility-1-migrator creating replacement (0s) [diff: ~spec]
++ kubernetes:batch/v1:Job facility-1-migrator creating replacement (0s) [diff: ~spec]; 
++ kubernetes:batch/v1:Job facility-1-migrator creating replacement (0s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/facility-1-migrator-ca3156d8" to start
++ kubernetes:batch/v1:Job facility-1-migrator creating replacement (0s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/facility-1-migrator-ca3156d8" to succeed (Active: 1 | Succeeded: 0 | Failed: 0)
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Secret facility-1-db-superuser not found or not ready: Error: HTTP-Code: 404
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Message: Unknown API Status Code!
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Body: "{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"secrets \\\"facility-1-db-superuser\\\" not found\",\"reason\":\"NotFound\",\"details\":{\"name\":\"facility-1-db-superuser\",\"kind\":\"secrets\"},\"code\":404}
"
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Headers: {"audit-id":"2066cbb6-00e0-465c-af9b-294b869fab4f","cache-control":"no-cache, private","connection":"close","content-length":"220","content-type":"application/json","date":"Fri, 26 Jun 2026 06:07:46 GMT","x-kubernetes-pf-flowschema-uid":"3fb296fc-e46b-45d1-9306-057e37ddd229","x-kubernetes-pf-prioritylevel-uid":"feccf24d-a074-4fa8-aa6f-db82477fc2f5"}
~  kubernetes:apps/v1:Deployment facility-1-web updating (23s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/facility-1-web-e2c3905d-66d9b5899d-4qg5v]: containers with unready status: [http]
@ Updating....
~  kubernetes:apps/v1:Deployment central-web updating (23s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/central-web-9507928a-7b455bc5d4-c2zkz]: containers with unready status: [http]
~  kubernetes:apps/v1:Deployment facility-2-web updating (23s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/facility-2-web-e7c15713-568b7b8cb9-k9dn5]: containers with unready status: [http]
@ Updating.....
++ kubernetes:batch/v1:Job central-migrator creating replacement (0s) [diff: ~spec]
++ kubernetes:batch/v1:Job central-migrator creating replacement (0s) [diff: ~spec]; 
@ Updating....
++ kubernetes:batch/v1:Job central-migrator creating replacement (0s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/central-migrator-c312c9f1" to start
++ kubernetes:batch/v1:Job central-migrator creating replacement (0s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/central-migrator-c312c9f1" to succeed (Active: 1 | Succeeded: 0 | Failed: 0)
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Secret central-db-superuser not found or not ready: Error: HTTP-Code: 404
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Message: Unknown API Status Code!
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Body: "{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"secrets \\\"central-db-superuser\\\" not found\",\"reason\":\"NotFound\",\"details\":{\"name\":\"central-db-superuser\",\"kind\":\"secrets\"},\"code\":404}
"
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports running Headers: {"audit-id":"c4b25fcb-048f-473c-9dd4-d025fd36a1da","cache-control":"no-cache, private","connection":"close","content-length":"214","content-type":"application/json","date":"Fri, 26 Jun 2026 06:07:50 GMT","x-kubernetes-pf-flowschema-uid":"3fb296fc-e46b-45d1-9306-057e37ddd229","x-kubernetes-pf-prioritylevel-uid":"feccf24d-a074-4fa8-aa6f-db82477fc2f5"}
@ Updating...........
~  kubernetes:apps/v1:Deployment facility-1-web updating (34s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment facility-1-web updating (34s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-1-web updated (34s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-2-web updating (34s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment facility-2-web updating (34s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-2-web updated (34s) [diff: ~spec]; 
@ Updating....
~  kubernetes:apps/v1:Deployment central-web updating (35s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment central-web updating (35s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment central-web updated (35s) [diff: ~spec]; 
@ Updating...........
++ kubernetes:batch/v1:Job facility-1-migrator creating replacement (21s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/facility-1-migrator-ca3156d8-lsqh6]: Container "migrator" completed with exit code 0
@ Updating.....
++ kubernetes:batch/v1:Job facility-1-migrator creating replacement (23s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/facility-1-migrator-ca3156d8" to succeed (Active: 0 | Succeeded: 0 | Failed: 0)
++ kubernetes:batch/v1:Job facility-1-migrator creating replacement (23s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/facility-1-migrator-ca3156d8" to succeed (Active: 0 | Succeeded: 1 | Failed: 0)
++ kubernetes:batch/v1:Job facility-1-migrator creating replacement (23s) [diff: ~spec]; 
++ kubernetes:batch/v1:Job facility-1-migrator created replacement (23s) [diff: ~spec]; 
+- kubernetes:batch/v1:Job facility-1-migrator replacing (0s) [diff: ~spec]; 
+- kubernetes:batch/v1:Job facility-1-migrator replaced (0.00s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-1-tasks updating (0s) [diff: ~spec]
~  kubernetes:apps/v1:Deployment facility-1-api updating (0s) [diff: ~spec]
~  kubernetes:apps/v1:Deployment facility-1-sync updating (0s) [diff: ~spec]
@ Updating....
~  kubernetes:apps/v1:Deployment facility-1-tasks updating (0s) [diff: ~spec]; warning: [MinimumReplicasUnavailable] Deployment does not have minimum availability.
~  kubernetes:apps/v1:Deployment facility-1-tasks updating (0s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
~  kubernetes:apps/v1:Deployment facility-1-tasks updating (1s) [diff: ~spec]; warning: Replicas scaled to 0 for Deployment "facility-1-tasks-8760f705"
@ Updating....
~  kubernetes:apps/v1:Deployment facility-1-sync updating (1s) [diff: ~spec]; warning: [MinimumReplicasUnavailable] Deployment does not have minimum availability.
~  kubernetes:apps/v1:Deployment facility-1-sync updating (1s) [diff: ~spec]; warning: Replicas scaled to 0 for Deployment "facility-1-sync"
~  kubernetes:apps/v1:Deployment facility-1-api updating (1s) [diff: ~spec]; warning: [MinimumReplicasUnavailable] Deployment does not have minimum availability.
~  kubernetes:apps/v1:Deployment facility-1-api updating (1s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/2 Pods available)
~  kubernetes:apps/v1:Deployment facility-1-api updating (1s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
~  kubernetes:apps/v1:Deployment facility-1-sync updating (2s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
@ Updating......
~  kubernetes:apps/v1:Deployment facility-1-tasks updating (5s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment facility-1-tasks updating (5s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-1-tasks updated (5s) [diff: ~spec]; 
@ Updating....
++ kubernetes:batch/v1:Job facility-2-migrator creating replacement (31s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/facility-2-migrator-124164b3-2q45x]: Container "migrator" completed with exit code 0
@ Updating....
++ kubernetes:batch/v1:Job central-migrator creating replacement (27s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/central-migrator-c312c9f1-xtdxl]: Container "migrator" completed with exit code 0
@ Updating....
++ kubernetes:batch/v1:Job facility-2-migrator creating replacement (33s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/facility-2-migrator-124164b3" to succeed (Active: 0 | Succeeded: 0 | Failed: 0)
++ kubernetes:batch/v1:Job facility-2-migrator creating replacement (33s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/facility-2-migrator-124164b3" to succeed (Active: 0 | Succeeded: 1 | Failed: 0)
++ kubernetes:batch/v1:Job facility-2-migrator creating replacement (33s) [diff: ~spec]; 
++ kubernetes:batch/v1:Job facility-2-migrator created replacement (33s) [diff: ~spec]; 
+- kubernetes:batch/v1:Job facility-2-migrator replacing (0s) [diff: ~spec]; 
+- kubernetes:batch/v1:Job facility-2-migrator replaced (0.00s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-2-api updating (0s) [diff: ~spec]
~  kubernetes:apps/v1:Deployment facility-2-tasks updating (0s) [diff: ~spec]
~  kubernetes:apps/v1:Deployment facility-2-sync updating (0s) [diff: ~spec]
@ Updating....
++ kubernetes:batch/v1:Job central-migrator creating replacement (29s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/central-migrator-c312c9f1" to succeed (Active: 0 | Succeeded: 0 | Failed: 0)
++ kubernetes:batch/v1:Job central-migrator creating replacement (29s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/central-migrator-c312c9f1" to succeed (Active: 0 | Succeeded: 1 | Failed: 0)
++ kubernetes:batch/v1:Job central-migrator creating replacement (29s) [diff: ~spec]; 
++ kubernetes:batch/v1:Job central-migrator created replacement (29s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-2-sync updating (0s) [diff: ~spec]; warning: [MinimumReplicasUnavailable] Deployment does not have minimum availability.
~  kubernetes:apps/v1:Deployment facility-2-sync updating (0s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
@ Updating....
+- kubernetes:batch/v1:Job central-migrator replacing (0s) [diff: ~spec]; 
+- kubernetes:batch/v1:Job central-migrator replaced (0.00s) [diff: ~spec]; 
++ kubernetes:batch/v1:Job central-provisioner creating replacement (0s) [diff: ~spec]
~  kubernetes:apps/v1:Deployment facility-1-api updating (9s) [diff: ~spec]; Waiting for app ReplicaSet to be available (1/2 Pods available)
~  kubernetes:apps/v1:Deployment facility-2-tasks updating (1s) [diff: ~spec]; warning: [MinimumReplicasUnavailable] Deployment does not have minimum availability.
~  kubernetes:apps/v1:Deployment facility-2-tasks updating (1s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
~  kubernetes:apps/v1:Deployment facility-2-api updating (1s) [diff: ~spec]; warning: [MinimumReplicasUnavailable] Deployment does not have minimum availability.
~  kubernetes:apps/v1:Deployment facility-2-api updating (1s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/2 Pods available)
++ kubernetes:batch/v1:Job central-provisioner creating replacement (0s) [diff: ~spec]; 
++ kubernetes:batch/v1:Job central-provisioner creating replacement (0s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/central-provisioner-17a12b61" to start
++ kubernetes:batch/v1:Job central-provisioner creating replacement (0s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/central-provisioner-17a12b61" to succeed (Active: 1 | Succeeded: 0 | Failed: 0)
~  kubernetes:apps/v1:Deployment facility-2-sync updating (1s) [diff: ~spec]; warning: Replicas scaled to 0 for Deployment "facility-2-sync"
~  kubernetes:apps/v1:Deployment facility-2-api updating (1s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
@ Updating....
~  kubernetes:apps/v1:Deployment facility-1-sync updating (10s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/facility-1-sync-6c89bfdd94-6g84g]: containers with unready status: [server]
@ Updating....
~  kubernetes:apps/v1:Deployment facility-1-api updating (11s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/facility-1-api-6cf9b5df7d-4pmv2]: containers with unready status: [server]
@ Updating.........
~  kubernetes:apps/v1:Deployment facility-1-api updating (17s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment facility-1-api updating (17s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-1-api updated (17s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-2-sync updating (9s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment facility-2-sync updating (9s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-2-sync updated (9s) [diff: ~spec]; 
@ Updating....
~  kubernetes:apps/v1:Deployment facility-2-tasks updating (10s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment facility-2-tasks updating (10s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-2-tasks updated (10s) [diff: ~spec]; 
@ Updating........
~  kubernetes:apps/v1:Deployment facility-1-sync updating (23s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment facility-1-sync updating (23s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-1-sync updated (23s) [diff: ~spec]; 
@ Updating......
~  kubernetes:apps/v1:Deployment facility-2-api updating (18s) [diff: ~spec]; Waiting for app ReplicaSet to be available (1/2 Pods available)
@ Updating......
~  kubernetes:apps/v1:Deployment facility-2-api updating (21s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/facility-2-api-5dbd5c79f8-xs2zt]: containers with unready status: [server]
@ Updating......
++ kubernetes:batch/v1:Job central-provisioner creating replacement (23s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/central-provisioner-17a12b61-blbzn]: Container "provisioner" completed with exit code 0
@ Updating.....
++ kubernetes:batch/v1:Job central-provisioner creating replacement (25s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/central-provisioner-17a12b61" to succeed (Active: 0 | Succeeded: 0 | Failed: 0)
++ kubernetes:batch/v1:Job central-provisioner creating replacement (25s) [diff: ~spec]; Waiting for Job "tamanu-fix-tam-4047-remove-static-reports/central-provisioner-17a12b61" to succeed (Active: 0 | Succeeded: 1 | Failed: 0)
++ kubernetes:batch/v1:Job central-provisioner creating replacement (25s) [diff: ~spec]; 
++ kubernetes:batch/v1:Job central-provisioner created replacement (25s) [diff: ~spec]; 
@ Updating....
+- kubernetes:batch/v1:Job central-provisioner replacing (0s) [diff: ~spec]; 
+- kubernetes:batch/v1:Job central-provisioner replaced (0.00s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment central-tasks updating (0s) [diff: ~spec]
~  kubernetes:apps/v1:Deployment central-fhir-refresh updating (0s) [diff: ~spec]
~  kubernetes:apps/v1:Deployment central-api updating (0s) [diff: ~spec]
~  kubernetes:apps/v1:Deployment central-fhir-resolver updating (0s) [diff: ~spec]
@ Updating....
~  kubernetes:apps/v1:Deployment central-fhir-refresh updating (1s) [diff: ~spec]; warning: [MinimumReplicasUnavailable] Deployment does not have minimum availability.
~  kubernetes:apps/v1:Deployment central-fhir-refresh updating (1s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
~  kubernetes:apps/v1:Deployment central-tasks updating (1s) [diff: ~spec]; warning: [MinimumReplicasUnavailable] Deployment does not have minimum availability.
~  kubernetes:apps/v1:Deployment central-tasks updating (1s) [diff: ~spec]; warning: Replicas scaled to 0 for Deployment "central-tasks-847c5237"
~  kubernetes:apps/v1:Deployment central-fhir-resolver updating (1s) [diff: ~spec]; warning: [MinimumReplicasUnavailable] Deployment does not have minimum availability.
~  kubernetes:apps/v1:Deployment central-fhir-resolver updating (1s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
@ Updating....
~  kubernetes:apps/v1:Deployment central-api updating (1s) [diff: ~spec]; warning: [MinimumReplicasUnavailable] Deployment does not have minimum availability.
~  kubernetes:apps/v1:Deployment central-api updating (1s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/2 Pods available)
~  kubernetes:apps/v1:Deployment central-api updating (2s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
~  kubernetes:apps/v1:Deployment central-tasks updating (2s) [diff: ~spec]; Waiting for app ReplicaSet to be available (0/1 Pods available)
@ Updating....
~  kubernetes:apps/v1:Deployment central-fhir-resolver updating (3s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment central-fhir-resolver updating (3s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment central-fhir-resolver updated (3s) [diff: ~spec]; 
@ Updating....
~  kubernetes:apps/v1:Deployment central-fhir-refresh updating (4s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment central-fhir-refresh updating (4s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment central-fhir-refresh updated (4s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment central-tasks updating (4s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment central-tasks updating (4s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment central-tasks updated (4s) [diff: ~spec]; 
@ Updating..........
~  kubernetes:apps/v1:Deployment central-api updating (11s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/central-api-539cb462-67d7b5cdfc-t5z6z]: containers with unready status: [server]
@ Updating....
~  kubernetes:apps/v1:Deployment central-api updating (12s) [diff: ~spec]; Waiting for app ReplicaSet to be available (1/2 Pods available)
@ Updating...........
~  kubernetes:apps/v1:Deployment facility-2-api updating (47s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment facility-2-api updating (47s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment facility-2-api updated (47s) [diff: ~spec]; 
@ Updating....
~  kubernetes:apps/v1:Deployment central-api updating (21s) [diff: ~spec]; warning: [Pod tamanu-fix-tam-4047-remove-static-reports/central-api-539cb462-67d7b5cdfc-ssjgx]: containers with unready status: [server]
@ Updating...............................
~  kubernetes:apps/v1:Deployment central-api updating (49s) [diff: ~spec]; Deployment initialization complete
~  kubernetes:apps/v1:Deployment central-api updating (49s) [diff: ~spec]; 
~  kubernetes:apps/v1:Deployment central-api updated (49s) [diff: ~spec]; 
-- kubernetes:batch/v1:Job central-provisioner deleting original (0s) [diff: ~spec]; 
@ Updating....
-- kubernetes:batch/v1:Job central-provisioner deleting original (0s) [diff: ~spec]; 
-- kubernetes:batch/v1:Job central-provisioner deleted original (0.58s) [diff: ~spec]; 
-  kubernetes:batch/v1:Job ttl-wake-1782109343 deleting (0s) 
-- kubernetes:batch/v1:Job facility-2-migrator deleting original (0s) [diff: ~spec]; 
-- kubernetes:batch/v1:Job facility-1-migrator deleting original (0s) [diff: ~spec]; 
-- kubernetes:batch/v1:Job central-migrator deleting original (0s) [diff: ~spec]; 
@ Updating....
-  kubernetes:batch/v1:Job ttl-wake-1782109343 deleted (0.37s) 
-- kubernetes:batch/v1:Job facility-2-migrator deleting original (0s) [diff: ~spec]; 
-- kubernetes:batch/v1:Job facility-1-migrator deleting original (0s) [diff: ~spec]; 
-- kubernetes:batch/v1:Job facility-2-migrator deleted original (0.82s) [diff: ~spec]; 
-- kubernetes:batch/v1:Job facility-1-migrator deleted original (0.82s) [diff: ~spec]; 
-- kubernetes:batch/v1:Job central-migrator deleting original (1s) [diff: ~spec]; 
-- kubernetes:batch/v1:Job central-migrator deleted original (1s) [diff: ~spec]; 
   pulumi:pulumi:Stack tamanu-on-k8s-fix-tam-4047-remove-static-reports  15 messages
Diagnostics:
 pulumi:pulumi:Stack (tamanu-on-k8s-fix-tam-4047-remove-static-reports):
   Waiting for central-db...
   Waiting for facility-1-db...
   Waiting for facility-2-db...

   Secret facility-2-db-superuser not found or not ready: Error: HTTP-Code: 404
   Message: Unknown API Status Code!
   Body: "{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"secrets \\\"facility-2-db-superuser\\\" not found\",\"reason\":\"NotFound\",\"details\":{\"name\":\"facility-2-db-superuser\",\"kind\":\"secrets\"},\"code\":404}
"
   Headers: {"audit-id":"3e6dd89a-549b-4163-a369-c08729261b76","cache-control":"no-cache, private","connection":"close","content-length":"220","content-type":"application/json","date":"Fri, 26 Jun 2026 06:07:44 GMT","x-kubernetes-pf-flowschema-uid":"3fb296fc-e46b-45d1-9306-057e37ddd229","x-kubernetes-pf-prioritylevel-uid":"feccf24d-a074-4fa8-aa6f-db82477fc2f5"}
   Secret facility-1-db-superuser not found or not ready: Error: HTTP-Code: 404
   Message: Unknown API Status Code!
   Body: "{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"secrets \\\"facility-1-db-superuser\\\" not found\",\"reason\":\"NotFound\",\"details\":{\"name\":\"facility-1-db-superuser\",\"kind\":\"secrets\"},\"code\":404}
"
   Headers: {"audit-id":"2066cbb6-00e0-465c-af9b-294b869fab4f","cache-control":"no-cache, private","connection":"close","content-length":"220","content-type":"application/json","date":"Fri, 26 Jun 2026 06:07:46 GMT","x-kubernetes-pf-flowschema-uid":"3fb296fc-e46b-45d1-9306-057e37ddd229","x-kubernetes-pf-prioritylevel-uid":"feccf24d-a074-4fa8-aa6f-db82477fc2f5"}
   Secret central-db-superuser not found or not ready: Error: HTTP-Code: 404
   Message: Unknown API Status Code!
   Body: "{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"secrets \\\"central-db-superuser\\\" not found\",\"reason\":\"NotFound\",\"details\":{\"name\":\"central-db-superuser\",\"kind\":\"secrets\"},\"code\":404}
"
   Headers: {"audit-id":"c4b25fcb-048f-473c-9dd4-d025fd36a1da","cache-control":"no-cache, private","connection":"close","content-length":"214","content-type":"application/json","date":"Fri, 26 Jun 2026 06:07:50 GMT","x-kubernetes-pf-flowschema-uid":"3fb296fc-e46b-45d1-9306-057e37ddd229","x-kubernetes-pf-prioritylevel-uid":"feccf24d-a074-4fa8-aa6f-db82477fc2f5"}

Outputs:
   urls: {
       Central      : "https://central.fix-tam-4047-remove-static-reports.cd.tamanu.app"
       Facility- 1  : "https://facility-1.fix-tam-4047-remove-static-reports.cd.tamanu.app"
       Facility- 2  : "https://facility-2.fix-tam-4047-remove-static-reports.cd.tamanu.app"
       PatientPortal: "https://portal.fix-tam-4047-remove-static-reports.cd.tamanu.app"
   }

Resources:
   + 1 created
   ~ 16 updated
   - 1 deleted
   +-4 replaced
   22 changes. 72 unchanged

Duration: 2m20s

Rohan Port and others added 4 commits June 26, 2026 15:55
@claude
db: TAM-4047: convert static report permissions to ReportDefinition
0418c65 
Replaces StaticReport:run permissions with ReportDefinition:run via
migration: creates a ReportDefinition and ReportDefinitionVersion for
generic-survey-export-line-list, inserts new permissions for affected
roles, and soft-deletes the old StaticReport permissions.

Removes all StaticReport permission references from constants, shared
report utilities, and server routes, and updates tests accordingly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
test: TAM-4047: fix tests affected by seeded generic survey export re…
64a6a31 
…port

The migration seeds a ReportDefinition and ReportDefinitionVersion for
generic-survey-export-line-list. Update affected tests:

- reportRoutes: find testReport by ID instead of checking total list length
- ReportRequest: look up version UUID; check reportDefinitionVersionId not reportType
- CentralSyncManager.updateLookupTable: truncate ReportDefinition/Version in
  beforeEach so the seeded record does not appear in sync lookup counts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
fix: TAM-4047: check disabled reports against definition ID not versi…
eb863ba 
…on UUID

The disabledReports localisation config uses stable definition IDs (e.g.
generic-survey-export-line-list), but disabled checks were comparing against
the version UUID after the static report migration. Fix all five check sites
to use reportModule.reportDefinitionId instead.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude
db: TAM-4047: also migrate general StaticReport:run permissions
ce58b70 
Roles with a general StaticReport:run permission (no objectId) had access
to all static reports. The migration now also creates a
ReportDefinition:run:generic-survey-export-line-list for these roles so
they retain access after the static report is removed.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@rohan-bes rohan-bes force-pushed the fix/tam-4047-remove-static-reports branch from ec2509e to ce58b70 Compare June 26, 2026 05:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rohan-bes