From 065b07613aa99de0383efb32c463eca3edc302a6 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Mon, 8 Jun 2026 11:58:55 +0200
Subject: [PATCH 01/28] Add reuploader builder task to dev

---
 tf/environments/dev/main.tf | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 84de383f..9b4511cb 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -936,6 +936,21 @@ module "fastpath_builder" {
   codepipeline_bucket = aws_s3_bucket.ooniapi_codepipeline_bucket.bucket
 }
 
+module "reuploader_builder" {
+  source      = "../../modules/ooni_docker_build"
+  trigger_tag = ""
+
+  service_name            = "reuploader"
+  repo                    = "ooni/backend"
+  branch_name             = "add_fastpath_reuploader"
+  environment             = local.environment
+  buildspec_path          = "reuploader/buildspec.yml"
+  trigger_path            = "fastpath/**"
+  codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn
+
+  codepipeline_bucket = aws_s3_bucket.ooniapi_codepipeline_bucket.bucket
+}
+
 #### OONI Run service
 
 module "ooniapi_oonirun_deployer" {

From ccda78dd1c82f6766c8746ba09bd46ab74cfd747 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Mon, 8 Jun 2026 12:30:49 +0200
Subject: [PATCH 02/28] fix trigger path

---
 tf/environments/dev/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 9b4511cb..82b678c1 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -945,7 +945,7 @@ module "reuploader_builder" {
   branch_name             = "add_fastpath_reuploader"
   environment             = local.environment
   buildspec_path          = "reuploader/buildspec.yml"
-  trigger_path            = "fastpath/**"
+  trigger_path            = "reuploader/**"
   codestar_connection_arn = aws_codestarconnections_connection.oonidevops.arn
 
   codepipeline_bucket = aws_s3_bucket.ooniapi_codepipeline_bucket.bucket

From 01ab56876484898e49182b50199bf4c27735b3ab Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Mon, 8 Jun 2026 14:22:37 +0200
Subject: [PATCH 03/28] Extend ooniapi_service to provide scheduled run

---
 tf/modules/ooniapi_service/main.tf      | 68 ++++++++++++++++++++++++-
 tf/modules/ooniapi_service/variables.tf | 22 ++++++++
 2 files changed, 89 insertions(+), 1 deletion(-)

diff --git a/tf/modules/ooniapi_service/main.tf b/tf/modules/ooniapi_service/main.tf
index 84e9f38f..068d1651 100644
--- a/tf/modules/ooniapi_service/main.tf
+++ b/tf/modules/ooniapi_service/main.tf
@@ -36,6 +36,72 @@ resource "aws_iam_role_policy" "ooniapi_service_task" {
   policy = templatefile("${path.module}/templates/profile_policy.json", {})
 }
 
+resource "aws_iam_role" "events_run_task" {
+  count = var.run_on_schedule ? 1 : 0
+  name  = "${local.name}-events-run-task-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [{
+    "Effect": "Allow",
+    "Principal": {"Service": "events.amazonaws.com"},
+    "Action": "sts:AssumeRole"
+  }]
+}
+EOF
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy" "events_run_task_policy" {
+  count = var.run_on_schedule ? 1 : 0
+  name  = "${local.name}-events-run-task-policy"
+  role  = aws_iam_role.events_run_task[0].id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecs:RunTask",
+          "iam:PassRole",
+          "ecs:StartTask",
+          "ecs:DescribeClusters",
+          "ecs:DescribeTasks"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_cloudwatch_event_rule" "scheduled_run" {
+  count               = var.run_on_schedule ? 1 : 0
+  name                = "${local.name}-schedule"
+  schedule_expression = var.schedule_expression
+  tags                = var.tags
+}
+
+resource "aws_cloudwatch_event_target" "run_ecs_task" {
+  count = var.run_on_schedule ? 1 : 0
+  rule  = aws_cloudwatch_event_rule.scheduled_run[0].name
+  arn   = data.aws_ecs_cluster.target[0].arn
+
+  role_arn = aws_iam_role.events_run_task[0].arn
+
+  ecs_target {
+    task_definition_arn = aws_ecs_task_definition.ooniapi_service.arn
+    task_count          = 1
+  }
+}
+
+data "aws_ecs_cluster" "target" {
+  count = var.run_on_schedule ? 1 : 0
+  cluster_name = var.scheduled_task_cluster
+}
+
 resource "aws_cloudwatch_log_group" "ooniapi_service" {
   name = "ooni-ecs-group/${local.name}"
 }
@@ -99,7 +165,7 @@ resource "aws_ecs_service" "ooniapi_service" {
   name            = local.name
   cluster         = var.ecs_cluster_id
   task_definition = aws_ecs_task_definition.ooniapi_service.arn
-  desired_count   = var.service_desired_count
+  desired_count   = var.run_on_schedule ? 0 : var.service_desired_count
 
   deployment_minimum_healthy_percent = 50
   deployment_maximum_percent         = 200
diff --git a/tf/modules/ooniapi_service/variables.tf b/tf/modules/ooniapi_service/variables.tf
index 2cb0a645..538d0e4d 100644
--- a/tf/modules/ooniapi_service/variables.tf
+++ b/tf/modules/ooniapi_service/variables.tf
@@ -98,3 +98,25 @@ variable "autoscale_policies" {
 
   default = []
 }
+
+variable "run_on_schedule" {
+  type    = bool
+  default = false
+
+  validation {
+    condition = !(var.run_on_schedule == true && var.scheduled_task_cluster == null)
+    error_message = "scheduled_task_cluster must be set when run_on_schedule = true."
+  }
+}
+
+variable "schedule_expression" {
+  type    = string
+  default = "cron(0 6 ? * MON-FRI *)" # example default; callers override
+}
+
+variable "scheduled_task_cluster" {
+  type    = string
+  description = "Name of the ECS cluster to run the scheduled task on (required when run_on_schedule = True)."
+  nullable = true
+  default = null
+}

From e8e191e1c60b1ca137231b187aa36c9eef139e8b Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Tue, 9 Jun 2026 14:18:25 +0200
Subject: [PATCH 04/28] add scheduled_service module

---
 tf/modules/scheduled_service/main.tf          | 156 ++++++++++++++++++
 tf/modules/scheduled_service/outputs.tf       |   7 +
 .../templates/profile_policy.json             |  61 +++++++
 tf/modules/scheduled_service/variables.tf     |  79 +++++++++
 4 files changed, 303 insertions(+)
 create mode 100644 tf/modules/scheduled_service/main.tf
 create mode 100644 tf/modules/scheduled_service/outputs.tf
 create mode 100644 tf/modules/scheduled_service/templates/profile_policy.json
 create mode 100644 tf/modules/scheduled_service/variables.tf

diff --git a/tf/modules/scheduled_service/main.tf b/tf/modules/scheduled_service/main.tf
new file mode 100644
index 00000000..19e4a3b1
--- /dev/null
+++ b/tf/modules/scheduled_service/main.tf
@@ -0,0 +1,156 @@
+locals {
+  name = "scheduled-service-${var.service_name}"
+  # We construct a stripped name that is without the "ooni" substring and all
+  # vocals are stripped.
+  stripped_name = replace(replace(var.service_name, "ooni", ""), "[aeiou]", "")
+  # Short prefix should be less than 5 characters
+  short_prefix = "O${substr(local.stripped_name, 0, 3)}"
+}
+
+resource "aws_iam_role" "scheduled_service_task" {
+  name = "${local.name}-task-role"
+
+  tags = var.tags
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "ecs-tasks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy" "scheduled_service_task" {
+  name = "${local.name}-task-role"
+  role = aws_iam_role.scheduled_service_task.name
+
+  policy = templatefile("${path.module}/templates/profile_policy.json", {})
+}
+
+resource "aws_iam_role" "events_run_task" {
+  count = 1
+  name  = "${local.name}-events-run-task-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [{
+    "Effect": "Allow",
+    "Principal": {"Service": "events.amazonaws.com"},
+    "Action": "sts:AssumeRole"
+  }]
+}
+EOF
+
+  tags = var.tags
+}
+
+resource "aws_iam_role_policy" "events_run_task_policy" {
+  count = 1
+  name  = "${local.name}-events-run-task-policy"
+  role  = aws_iam_role.events_run_task[0].id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ecs:RunTask",
+          "iam:PassRole",
+          "ecs:StartTask",
+          "ecs:DescribeClusters",
+          "ecs:DescribeTasks"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_cloudwatch_event_rule" "scheduled_run" {
+  count               = 1
+  name                = "${local.name}-schedule"
+  schedule_expression = var.schedule_expression
+  tags                = var.tags
+}
+
+resource "aws_cloudwatch_event_target" "run_ecs_task" {
+  count = 1
+  rule  = aws_cloudwatch_event_rule.scheduled_run[0].name
+  arn   = data.aws_ecs_cluster.target[0].arn
+
+  role_arn = aws_iam_role.events_run_task[0].arn
+
+  ecs_target {
+    task_definition_arn = aws_ecs_task_definition.scheduled_service.arn
+    task_count          = 1
+  }
+}
+
+data "aws_ecs_cluster" "target" {
+  count = 1
+  cluster_name = var.scheduled_task_cluster
+}
+
+resource "aws_cloudwatch_log_group" "scheduled_service" {
+  name = "ooni-ecs-group/${local.name}"
+}
+
+// This is done to retrieve the image name of the current task definition
+// It's important to keep aligned the container_name and task_definitions
+data "aws_ecs_container_definition" "scheduled_service_current" {
+  task_definition = "${local.name}-td"
+  container_name  = local.name
+  count           = var.first_run ? 0 : 1
+}
+
+resource "aws_ecs_task_definition" "scheduled_service" {
+  family       = "${local.name}-td"
+  network_mode = "bridge"
+
+  container_definitions = jsonencode([
+    {
+      memoryReservation = var.task_memory,
+      memory            = var.memory_hard_limit
+      essential         = true,
+      image = try(
+        data.aws_ecs_container_definition.scheduled_service_current[0].image,
+        var.default_docker_image_url
+      ),
+      name = local.name,
+
+      environment = [
+        for k, v in var.task_environment : {
+          name  = k,
+          value = v
+        }
+      ],
+      secrets = [
+        for k, v in var.task_secrets : {
+          name      = k,
+          valueFrom = v
+        }
+      ],
+      logConfiguration = {
+        logDriver = "awslogs",
+        options = {
+          awslogs-group  = aws_cloudwatch_log_group.scheduled_service.name,
+          awslogs-region = var.aws_region
+        }
+      }
+    }
+  ])
+  execution_role_arn = aws_iam_role.scheduled_service_task.arn
+  tags               = var.tags
+  track_latest       = true
+}
diff --git a/tf/modules/scheduled_service/outputs.tf b/tf/modules/scheduled_service/outputs.tf
new file mode 100644
index 00000000..85f5994d
--- /dev/null
+++ b/tf/modules/scheduled_service/outputs.tf
@@ -0,0 +1,7 @@
+output "ecs_service_name" {
+  value = aws_ecs_service.ooniapi_service.name
+}
+
+output "alb_target_group_id" {
+  value = aws_alb_target_group.ooniapi_service.id
+}
diff --git a/tf/modules/scheduled_service/templates/profile_policy.json b/tf/modules/scheduled_service/templates/profile_policy.json
new file mode 100644
index 00000000..3a772893
--- /dev/null
+++ b/tf/modules/scheduled_service/templates/profile_policy.json
@@ -0,0 +1,61 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "ecsInstanceRole",
+      "Effect": "Allow",
+      "Action": [
+        "ecs:DeregisterContainerInstance",
+        "ecs:DiscoverPollEndpoint",
+        "ecs:Poll",
+        "ecs:RegisterContainerInstance",
+        "ecs:Submit*",
+        "ecs:StartTelemetrySession"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "CloudWatchLogsFullAccess",
+      "Effect": "Allow",
+      "Action": ["logs:*", "cloudwatch:GenerateQuery"],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:GetResourcePolicy",
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:ListSecretVersionIds"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "secretsmanager:ListSecrets",
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+          "ssm:GetParameter",
+          "ssm:GetParameters",
+          "ssm:GetParameterHistory",
+          "ssm:GetParametersByPath"
+      ],
+      "Resource": "arn:aws:ssm:*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:Describe*",
+        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+        "elasticloadbalancing:DeregisterTargets",
+        "elasticloadbalancing:Describe*",
+        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+        "elasticloadbalancing:RegisterTargets"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
diff --git a/tf/modules/scheduled_service/variables.tf b/tf/modules/scheduled_service/variables.tf
new file mode 100644
index 00000000..537d27ba
--- /dev/null
+++ b/tf/modules/scheduled_service/variables.tf
@@ -0,0 +1,79 @@
+variable "aws_region" {
+  description = "The AWS region to create things in."
+  default     = "eu-central-1"
+}
+
+variable "first_run" {
+  default = false
+}
+
+variable "key_name" {
+  description = "Name of AWS key pair"
+}
+
+variable "service_name" {
+  description = "short service name. will become the first part of the fqdn eg. <service_name>.prod.ooni.io"
+}
+
+variable "stage" {
+  default = "one of dev, stage, test, prod"
+}
+
+variable "vpc_id" {
+  description = "the id of the VPC to deploy the instance into"
+}
+
+variable "tags" {
+  description = "tags to apply to the resources"
+  default     = {}
+  type        = map(string)
+}
+
+variable "task_memory" {
+  default     = 64
+  description = "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size"
+}
+
+variable "memory_hard_limit" {
+  default     = 1024
+  description = "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#task_size"
+}
+
+variable "dns_zone_ooni_io" {
+  description = "id of the DNS zone for ooni_io"
+}
+
+variable "default_docker_image_url" {
+  description = "the url to the default docker image unless there is one already defined in the task definition"
+}
+
+variable "ecs_cluster_id" {
+  description = "id of the cluster to deploy into"
+}
+
+variable "task_secrets" {
+  default = {}
+  type    = map(string)
+}
+
+variable "task_environment" {
+  default = {}
+  type    = map(string)
+}
+
+variable "ooniapi_service_security_groups" {
+  description = "the shared web security group from the ecs cluster"
+  type        = list(string)
+}
+
+variable "schedule_expression" {
+  type    = string
+  default = "cron(0 6 ? * MON-FRI *)" # example default; callers override
+}
+
+variable "scheduled_task_cluster" {
+  type    = string
+  description = "Name of the ECS cluster to run the scheduled task on."
+  nullable = true
+  default = null
+}

From 1d82bdbcbc2001d0a31ea0a76f57ad1b56ffc8e0 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Tue, 9 Jun 2026 14:47:14 +0200
Subject: [PATCH 05/28] add reuploader scheduled service (hourly)

---
 tf/environments/dev/main.tf | 38 +++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 82b678c1..ff4089f2 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -951,6 +951,44 @@ module "reuploader_builder" {
   codepipeline_bucket = aws_s3_bucket.ooniapi_codepipeline_bucket.bucket
 }
 
+module "reuploader" {
+  source = "../../modules/scheduled_service"
+
+  task_memory = 256
+
+  vpc_id = module.network.vpc_id
+
+  service_name             = "reuploader"
+  default_docker_image_url = "ooni/reuploader:latest"
+  schedule_expression      = "cron(0 * * * ? 2000-2199)"
+  stage                    = local.environment
+  dns_zone_ooni_io         = local.dns_zone_ooni_io
+  key_name                 = module.adm_iam_roles.oonidevops_key_name
+  ecs_cluster_id           = module.ooniapi_cluster.cluster_id
+
+  task_secrets = {
+    AWS_ACCESS_KEY_ID           = data.aws_ssm_parameter.s3_user_access_id
+    AWS_SECRET_ACCESS_KEY       = data.aws_ssm_parameter.s3_user_secret_key
+    #ROLE_ARN                    =
+    #ROLE_DURATION_SECONDS       = "3600"
+    AWS_REGION                  = var.aws_region
+    # required
+    BUCKET_NAME                 = "ooniprobe-failed-reports-eu-central-1-1d24426a"
+    # PREFIX # s3 path prefix
+    # fastpath API endpoint; use the last (fallback) fastpath instance in set
+    FASTPATH_API                = "http://${local.fastpath_hosts[length(local.fastpath_hosts) - 1]}:8472"
+  }
+
+  ooniapi_service_security_groups = [
+    module.ooniapi_cluster.web_security_group_id
+  ]
+
+  tags = merge(
+    local.tags,
+    { Name = "ooni-tier0-reuploader" }
+  )
+}
+
 #### OONI Run service
 
 module "ooniapi_oonirun_deployer" {

From d245b73db9805c7204042d4f34a9e4fb66be9198 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Tue, 9 Jun 2026 16:56:51 +0200
Subject: [PATCH 06/28] set failed reports bucket

---
 tf/environments/dev/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index ff4089f2..92fd1f27 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -973,7 +973,7 @@ module "reuploader" {
     #ROLE_DURATION_SECONDS       = "3600"
     AWS_REGION                  = var.aws_region
     # required
-    BUCKET_NAME                 = "ooniprobe-failed-reports-eu-central-1-1d24426a"
+    BUCKET_NAME                 = aws_s3_bucket.ooniprobe_failed_reports.bucket
     # PREFIX # s3 path prefix
     # fastpath API endpoint; use the last (fallback) fastpath instance in set
     FASTPATH_API                = "http://${local.fastpath_hosts[length(local.fastpath_hosts) - 1]}:8472"

From 4dd954ed217ea3961c29a5e90851589fcc29ddc1 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 09:42:21 +0200
Subject: [PATCH 07/28] reuploader: set DRY_RUN=true

---
 tf/environments/dev/main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 92fd1f27..689d1f6f 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -974,6 +974,7 @@ module "reuploader" {
     AWS_REGION                  = var.aws_region
     # required
     BUCKET_NAME                 = aws_s3_bucket.ooniprobe_failed_reports.bucket
+    DRY_RUN                     = true
     # PREFIX # s3 path prefix
     # fastpath API endpoint; use the last (fallback) fastpath instance in set
     FASTPATH_API                = "http://${local.fastpath_hosts[length(local.fastpath_hosts) - 1]}:8472"

From b6e2ba72c0ec9a784d66bddd207472c4e9630b9a Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 09:43:25 +0200
Subject: [PATCH 08/28] reuploader: set BATCH_SIZE=10

---
 tf/environments/dev/main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 689d1f6f..21dbed28 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -972,6 +972,7 @@ module "reuploader" {
     #ROLE_ARN                    =
     #ROLE_DURATION_SECONDS       = "3600"
     AWS_REGION                  = var.aws_region
+    BATCH_SIZE                  = 10
     # required
     BUCKET_NAME                 = aws_s3_bucket.ooniprobe_failed_reports.bucket
     DRY_RUN                     = true

From 0b94e88d3dddb3c3dff62c05243b8ec39a33c424 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 09:43:49 +0200
Subject: [PATCH 09/28] reuploader: set AWS_SECRET_ACCESS_KEY from module

---
 tf/environments/dev/main.tf | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 21dbed28..7c610dc9 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -967,8 +967,9 @@ module "reuploader" {
   ecs_cluster_id           = module.ooniapi_cluster.cluster_id
 
   task_secrets = {
-    AWS_ACCESS_KEY_ID           = data.aws_ssm_parameter.s3_user_access_id
-    AWS_SECRET_ACCESS_KEY       = data.aws_ssm_parameter.s3_user_secret_key
+    AWS_SECRET_ACCESS_KEY       = module.ooniapi_user.aws_secret_access_key_arn
+    AWS_ACCESS_KEY_ID           = module.ooniapi_user.aws_access_key_id_arn
+
     #ROLE_ARN                    =
     #ROLE_DURATION_SECONDS       = "3600"
     AWS_REGION                  = var.aws_region

From 22f35d53bfb4f65584a8f135ddeb8bc59c7cb70d Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 10:13:40 +0200
Subject: [PATCH 10/28] reuploader: set scheduled_task_cluster

---
 tf/environments/dev/main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 7c610dc9..94bf5d5a 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -964,6 +964,7 @@ module "reuploader" {
   stage                    = local.environment
   dns_zone_ooni_io         = local.dns_zone_ooni_io
   key_name                 = module.adm_iam_roles.oonidevops_key_name
+  scheduled_task_cluster   = module.ooniapi_cluster.cluster_name
   ecs_cluster_id           = module.ooniapi_cluster.cluster_id
 
   task_secrets = {

From 3a0b89536a5cf3817443c863f3957de3aee34e2e Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 10:14:07 +0200
Subject: [PATCH 11/28] reuploader: remove unused outputs

---
 tf/modules/scheduled_service/outputs.tf | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/tf/modules/scheduled_service/outputs.tf b/tf/modules/scheduled_service/outputs.tf
index 85f5994d..e69de29b 100644
--- a/tf/modules/scheduled_service/outputs.tf
+++ b/tf/modules/scheduled_service/outputs.tf
@@ -1,7 +0,0 @@
-output "ecs_service_name" {
-  value = aws_ecs_service.ooniapi_service.name
-}
-
-output "alb_target_group_id" {
-  value = aws_alb_target_group.ooniapi_service.id
-}

From d171d28fb6248821df8e84a9b1062b4d9036a475 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 10:14:19 +0200
Subject: [PATCH 12/28] reuploader: add first_run to create container
 definition

---
 tf/environments/dev/main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 94bf5d5a..4cdced80 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -958,6 +958,7 @@ module "reuploader" {
 
   vpc_id = module.network.vpc_id
 
+  first_run                = true
   service_name             = "reuploader"
   default_docker_image_url = "ooni/reuploader:latest"
   schedule_expression      = "cron(0 * * * ? 2000-2199)"

From c2ffbf1275cca3a5b938c2f14fa3621b0a99466a Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 10:16:43 +0200
Subject: [PATCH 13/28] reuploader: pin to tagged container

---
 tf/environments/dev/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 4cdced80..bd42fd48 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -960,7 +960,7 @@ module "reuploader" {
 
   first_run                = true
   service_name             = "reuploader"
-  default_docker_image_url = "ooni/reuploader:latest"
+  default_docker_image_url = "ooni/reuploader:20260611-f9cf0ff7"
   schedule_expression      = "cron(0 * * * ? 2000-2199)"
   stage                    = local.environment
   dns_zone_ooni_io         = local.dns_zone_ooni_io

From d55b50225000bded876d7b7bf03b57b8a1a885da Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 12:48:24 +0200
Subject: [PATCH 14/28] remove redundant count

---
 tf/modules/scheduled_service/main.tf | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/tf/modules/scheduled_service/main.tf b/tf/modules/scheduled_service/main.tf
index 19e4a3b1..9c18fbdc 100644
--- a/tf/modules/scheduled_service/main.tf
+++ b/tf/modules/scheduled_service/main.tf
@@ -37,7 +37,6 @@ resource "aws_iam_role_policy" "scheduled_service_task" {
 }
 
 resource "aws_iam_role" "events_run_task" {
-  count = 1
   name  = "${local.name}-events-run-task-role"
 
   assume_role_policy = <<EOF
@@ -55,7 +54,6 @@ EOF
 }
 
 resource "aws_iam_role_policy" "events_run_task_policy" {
-  count = 1
   name  = "${local.name}-events-run-task-policy"
   role  = aws_iam_role.events_run_task[0].id
 
@@ -78,14 +76,12 @@ resource "aws_iam_role_policy" "events_run_task_policy" {
 }
 
 resource "aws_cloudwatch_event_rule" "scheduled_run" {
-  count               = 1
   name                = "${local.name}-schedule"
   schedule_expression = var.schedule_expression
   tags                = var.tags
 }
 
 resource "aws_cloudwatch_event_target" "run_ecs_task" {
-  count = 1
   rule  = aws_cloudwatch_event_rule.scheduled_run[0].name
   arn   = data.aws_ecs_cluster.target[0].arn
 
@@ -98,7 +94,6 @@ resource "aws_cloudwatch_event_target" "run_ecs_task" {
 }
 
 data "aws_ecs_cluster" "target" {
-  count = 1
   cluster_name = var.scheduled_task_cluster
 }
 

From dbe872f8d515dbe509c5852ca5d36d4e98758794 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 13:08:55 +0200
Subject: [PATCH 15/28] singleton requires no index

---
 tf/modules/scheduled_service/main.tf | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/tf/modules/scheduled_service/main.tf b/tf/modules/scheduled_service/main.tf
index 9c18fbdc..b269742b 100644
--- a/tf/modules/scheduled_service/main.tf
+++ b/tf/modules/scheduled_service/main.tf
@@ -55,7 +55,7 @@ EOF
 
 resource "aws_iam_role_policy" "events_run_task_policy" {
   name  = "${local.name}-events-run-task-policy"
-  role  = aws_iam_role.events_run_task[0].id
+  role  = aws_iam_role.events_run_task.id
 
   policy = jsonencode({
     Version = "2012-10-17"
@@ -82,10 +82,10 @@ resource "aws_cloudwatch_event_rule" "scheduled_run" {
 }
 
 resource "aws_cloudwatch_event_target" "run_ecs_task" {
-  rule  = aws_cloudwatch_event_rule.scheduled_run[0].name
-  arn   = data.aws_ecs_cluster.target[0].arn
+  rule  = aws_cloudwatch_event_rule.scheduled_run.name
+  arn   = data.aws_ecs_cluster.target.arn
 
-  role_arn = aws_iam_role.events_run_task[0].arn
+  role_arn = aws_iam_role.events_run_task.arn
 
   ecs_target {
     task_definition_arn = aws_ecs_task_definition.scheduled_service.arn
@@ -119,7 +119,7 @@ resource "aws_ecs_task_definition" "scheduled_service" {
       memory            = var.memory_hard_limit
       essential         = true,
       image = try(
-        data.aws_ecs_container_definition.scheduled_service_current[0].image,
+        data.aws_ecs_container_definition.scheduled_service_current.image,
         var.default_docker_image_url
       ),
       name = local.name,

From 27f9c59c62cf8c3eeca8dec37bd12238e604facb Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 13:43:12 +0200
Subject: [PATCH 16/28] FIXME: try to add events:PutRule et al to profile

I see AccessDeniedException; but this change doesn't fix it
---
 tf/modules/scheduled_service/main.tf                   |  7 +++++--
 .../scheduled_service/templates/profile_policy.json    | 10 ++++++++++
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/tf/modules/scheduled_service/main.tf b/tf/modules/scheduled_service/main.tf
index b269742b..b09cf7d1 100644
--- a/tf/modules/scheduled_service/main.tf
+++ b/tf/modules/scheduled_service/main.tf
@@ -67,7 +67,10 @@ resource "aws_iam_role_policy" "events_run_task_policy" {
           "iam:PassRole",
           "ecs:StartTask",
           "ecs:DescribeClusters",
-          "ecs:DescribeTasks"
+          "ecs:DescribeTasks",
+          "events:TagResource",
+          "events:PutRule",
+          "events:PutTargets",
         ]
         Resource = "*"
       }
@@ -119,7 +122,7 @@ resource "aws_ecs_task_definition" "scheduled_service" {
       memory            = var.memory_hard_limit
       essential         = true,
       image = try(
-        data.aws_ecs_container_definition.scheduled_service_current.image,
+        data.aws_ecs_container_definition.scheduled_service_current[0].image,
         var.default_docker_image_url
       ),
       name = local.name,
diff --git a/tf/modules/scheduled_service/templates/profile_policy.json b/tf/modules/scheduled_service/templates/profile_policy.json
index 3a772893..b0a059d2 100644
--- a/tf/modules/scheduled_service/templates/profile_policy.json
+++ b/tf/modules/scheduled_service/templates/profile_policy.json
@@ -56,6 +56,16 @@
         "elasticloadbalancing:RegisterTargets"
       ],
       "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "events:TagResource",
+        "events:PutRule",
+        "events:PutTargets"
+      ],
+      "Resource": "*"
     }
+
   ]
 }

From 093c98f73383cb077da4abc8ee5ca14961ecb40b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luis=20D=C3=ADaz?= <ldiazn98@gmail.com>
Date: Thu, 11 Jun 2026 14:25:12 +0200
Subject: [PATCH 17/28] Add permission to the ooni_devops role to modify events

---
 tf/modules/adm_iam_roles/main.tf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tf/modules/adm_iam_roles/main.tf b/tf/modules/adm_iam_roles/main.tf
index aa5c525f..10fb15f9 100644
--- a/tf/modules/adm_iam_roles/main.tf
+++ b/tf/modules/adm_iam_roles/main.tf
@@ -53,7 +53,8 @@ resource "aws_iam_policy" "oonidevops" {
         "secretsmanager:*",
         "cloudhsm:*",
         "athena:*",
-        "glue:*"
+        "glue:*",
+        "events:*"
       ],
       "Resource": "*"
     }

From 94f3638eedc2d3dad9e9cbf7b3f452312c81f398 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 15:16:01 +0200
Subject: [PATCH 18/28] unmix environment from secrets

---
 tf/environments/dev/main.tf | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index f17b1a05..dcd73ac6 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -968,15 +968,8 @@ module "reuploader" {
   scheduled_task_cluster   = module.ooniapi_cluster.cluster_name
   ecs_cluster_id           = module.ooniapi_cluster.cluster_id
 
-  task_secrets = {
-    AWS_SECRET_ACCESS_KEY       = module.ooniapi_user.aws_secret_access_key_arn
-    AWS_ACCESS_KEY_ID           = module.ooniapi_user.aws_access_key_id_arn
-
-    #ROLE_ARN                    =
-    #ROLE_DURATION_SECONDS       = "3600"
-    AWS_REGION                  = var.aws_region
+  task_environment = {
     BATCH_SIZE                  = 10
-    # required
     BUCKET_NAME                 = aws_s3_bucket.ooniprobe_failed_reports.bucket
     DRY_RUN                     = true
     # PREFIX # s3 path prefix
@@ -984,6 +977,12 @@ module "reuploader" {
     FASTPATH_API                = "http://${local.fastpath_hosts[length(local.fastpath_hosts) - 1]}:8472"
   }
 
+  task_secrets = {
+    AWS_SECRET_ACCESS_KEY       = module.ooniapi_user.aws_secret_access_key_arn
+    AWS_ACCESS_KEY_ID           = module.ooniapi_user.aws_access_key_id_arn
+    AWS_REGION                  = var.aws_region
+  }
+
   ooniapi_service_security_groups = [
     module.ooniapi_cluster.web_security_group_id
   ]

From 92fb38aee75614bd0f1fd8a356c4613fdebb05d6 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 15:42:38 +0200
Subject: [PATCH 19/28] use bucket from
 https://github.com/ooni/devops/issues/398

---
 tf/environments/dev/main.tf | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index dcd73ac6..d69c3683 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -961,7 +961,7 @@ module "reuploader" {
   first_run                = true
   service_name             = "reuploader"
   default_docker_image_url = "ooni/reuploader:20260611-f9cf0ff7"
-  schedule_expression      = "cron(0 * * * ? 2000-2199)"
+  schedule_expression      = "cron(42 * * * ? 2000-2199)"
   stage                    = local.environment
   dns_zone_ooni_io         = local.dns_zone_ooni_io
   key_name                 = module.adm_iam_roles.oonidevops_key_name
@@ -970,10 +970,8 @@ module "reuploader" {
 
   task_environment = {
     BATCH_SIZE                  = 10
-    BUCKET_NAME                 = aws_s3_bucket.ooniprobe_failed_reports.bucket
+    BUCKET_NAME                 = "ooniprobe-failed-reports-eu-central-1-1d24426a"
     DRY_RUN                     = true
-    # PREFIX # s3 path prefix
-    # fastpath API endpoint; use the last (fallback) fastpath instance in set
     FASTPATH_API                = "http://${local.fastpath_hosts[length(local.fastpath_hosts) - 1]}:8472"
   }
 

From bafa1755bf0f2eaa9fe8e0ffa31407290a029eae Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 16:18:25 +0200
Subject: [PATCH 20/28] update reuploader, fix env

---
 tf/environments/dev/main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index d69c3683..d922aa2e 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -960,8 +960,8 @@ module "reuploader" {
 
   first_run                = true
   service_name             = "reuploader"
-  default_docker_image_url = "ooni/reuploader:20260611-f9cf0ff7"
-  schedule_expression      = "cron(42 * * * ? 2000-2199)"
+  default_docker_image_url = "ooni/reuploader:20260611-840e1b63"
+  schedule_expression      = "cron(0 * * * ? 2000-2199)"
   stage                    = local.environment
   dns_zone_ooni_io         = local.dns_zone_ooni_io
   key_name                 = module.adm_iam_roles.oonidevops_key_name

From ed341e5b72dc2b52dcae1749cf332331ec40ebb2 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 16:49:50 +0200
Subject: [PATCH 21/28] add AWS_REGION to task_environment

---
 tf/environments/dev/main.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index d922aa2e..c9a70776 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -961,7 +961,7 @@ module "reuploader" {
   first_run                = true
   service_name             = "reuploader"
   default_docker_image_url = "ooni/reuploader:20260611-840e1b63"
-  schedule_expression      = "cron(0 * * * ? 2000-2199)"
+  schedule_expression      = "cron(0/5 * * * ? 2000-2199)"
   stage                    = local.environment
   dns_zone_ooni_io         = local.dns_zone_ooni_io
   key_name                 = module.adm_iam_roles.oonidevops_key_name
@@ -969,6 +969,7 @@ module "reuploader" {
   ecs_cluster_id           = module.ooniapi_cluster.cluster_id
 
   task_environment = {
+    AWS_REGION                  = var.aws_region
     BATCH_SIZE                  = 10
     BUCKET_NAME                 = "ooniprobe-failed-reports-eu-central-1-1d24426a"
     DRY_RUN                     = true
@@ -978,7 +979,6 @@ module "reuploader" {
   task_secrets = {
     AWS_SECRET_ACCESS_KEY       = module.ooniapi_user.aws_secret_access_key_arn
     AWS_ACCESS_KEY_ID           = module.ooniapi_user.aws_access_key_id_arn
-    AWS_REGION                  = var.aws_region
   }
 
   ooniapi_service_security_groups = [

From bb5a163bdbce9a4349d2cf075c38fcaa3647344d Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Thu, 11 Jun 2026 16:58:42 +0200
Subject: [PATCH 22/28] set S3_BUCKET_NAME env

---
 tf/environments/dev/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index c9a70776..436b1d6d 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -971,7 +971,7 @@ module "reuploader" {
   task_environment = {
     AWS_REGION                  = var.aws_region
     BATCH_SIZE                  = 10
-    BUCKET_NAME                 = "ooniprobe-failed-reports-eu-central-1-1d24426a"
+    S3_BUCKET_NAME              = "ooniprobe-failed-reports-eu-central-1-1d24426a"
     DRY_RUN                     = true
     FASTPATH_API                = "http://${local.fastpath_hosts[length(local.fastpath_hosts) - 1]}:8472"
   }

From bea658faea7608bbc3b4d8979f548c2e64331c0e Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Tue, 16 Jun 2026 17:04:56 +0200
Subject: [PATCH 23/28] test reading primary failed reports bucket

---
 tf/environments/dev/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 436b1d6d..3f3f5252 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -971,7 +971,7 @@ module "reuploader" {
   task_environment = {
     AWS_REGION                  = var.aws_region
     BATCH_SIZE                  = 10
-    S3_BUCKET_NAME              = "ooniprobe-failed-reports-eu-central-1-1d24426a"
+    S3_BUCKET_NAME              = aws_s3_bucket.ooniprobe_failed_reports.bucket
     DRY_RUN                     = true
     FASTPATH_API                = "http://${local.fastpath_hosts[length(local.fastpath_hosts) - 1]}:8472"
   }

From a5fdbc106cfe65692fc0d309ffd14ee83fb4294f Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Tue, 16 Jun 2026 17:49:04 +0200
Subject: [PATCH 24/28] add iam_role_policy for reuploader task

---
 tf/environments/dev/main.tf             | 25 +++++++++++++++++++++++++
 tf/modules/scheduled_service/outputs.tf | 14 ++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 3f3f5252..d5547783 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -991,6 +991,31 @@ module "reuploader" {
   )
 }
 
+# For reuploader accessing the failed reports s3 bucket
+resource "aws_iam_role_policy" "reuploader_role" {
+  name = "${local.name}-task-role"
+  role = module.reuploader.task_role_name
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Sid    = ""
+        Effect = "Allow"
+        Action = ["s3:GetObject"]
+        Resource = "${aws_s3_bucket.ooniprobe_failed_reports.arn}/*"
+     },
+     {
+       Sid    = ""
+       Effect = "Allow"
+       Action = ["s3:ListBucket"]
+       Resource = aws_s3_bucket.ooniprobe_failed_reports.arn
+     }
+   ]
+  })
+}
+
+
 #### OONI Run service
 
 module "ooniapi_oonirun_deployer" {
diff --git a/tf/modules/scheduled_service/outputs.tf b/tf/modules/scheduled_service/outputs.tf
index e69de29b..a4970d33 100644
--- a/tf/modules/scheduled_service/outputs.tf
+++ b/tf/modules/scheduled_service/outputs.tf
@@ -0,0 +1,14 @@
+output "task_role_name" {
+description = "IAM role name used for scheduled task"
+value       = aws_iam_role.events_run_task.name
+}
+
+output "task_role_id" {
+description = "IAM role ID for the scheduled task"
+value       = aws_iam_role.events_run_task.id
+}
+
+output "task_role_arn" {
+description = "IAM role ARN for the scheduled task"
+value       = aws_iam_role.events_run_task.arn
+}

From e9ebb3f85bb95ec50bf9efe69adcadcf988aa4f6 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Tue, 16 Jun 2026 18:26:45 +0200
Subject: [PATCH 25/28] remove task secrets from reuploader; container uses ecs
 task role

---
 tf/environments/dev/main.tf | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index d5547783..555dd81e 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -977,8 +977,6 @@ module "reuploader" {
   }
 
   task_secrets = {
-    AWS_SECRET_ACCESS_KEY       = module.ooniapi_user.aws_secret_access_key_arn
-    AWS_ACCESS_KEY_ID           = module.ooniapi_user.aws_access_key_id_arn
   }
 
   ooniapi_service_security_groups = [

From 1e6802e22bf6bdc5dd677e06869d75c0c54fdca3 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Wed, 17 Jun 2026 12:18:25 +0200
Subject: [PATCH 26/28] output scheduled_service_task.arn as task_role_arn

---
 tf/environments/dev/main.tf             | 2 +-
 tf/modules/scheduled_service/outputs.tf | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 555dd81e..46347e81 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -960,7 +960,7 @@ module "reuploader" {
 
   first_run                = true
   service_name             = "reuploader"
-  default_docker_image_url = "ooni/reuploader:20260611-840e1b63"
+  default_docker_image_url = "ooni/reuploader:20260617-8b35a38f"
   schedule_expression      = "cron(0/5 * * * ? 2000-2199)"
   stage                    = local.environment
   dns_zone_ooni_io         = local.dns_zone_ooni_io
diff --git a/tf/modules/scheduled_service/outputs.tf b/tf/modules/scheduled_service/outputs.tf
index a4970d33..c22e9033 100644
--- a/tf/modules/scheduled_service/outputs.tf
+++ b/tf/modules/scheduled_service/outputs.tf
@@ -1,14 +1,14 @@
 output "task_role_name" {
 description = "IAM role name used for scheduled task"
-value       = aws_iam_role.events_run_task.name
+value       = aws_iam_role.scheduled_service_task.name
 }
 
 output "task_role_id" {
 description = "IAM role ID for the scheduled task"
-value       = aws_iam_role.events_run_task.id
+value       = aws_iam_role.scheduled_service_task.id
 }
 
 output "task_role_arn" {
 description = "IAM role ARN for the scheduled task"
-value       = aws_iam_role.events_run_task.arn
+value       = aws_iam_role.scheduled_service_task.arn
 }

From 8a603fadb28ecf5f7a774de077b5c1c452d11b64 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Wed, 17 Jun 2026 12:33:37 +0200
Subject: [PATCH 27/28] set task_role_arn = scheduled_service_task.arn

---
 tf/modules/scheduled_service/main.tf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tf/modules/scheduled_service/main.tf b/tf/modules/scheduled_service/main.tf
index b09cf7d1..7dc94d24 100644
--- a/tf/modules/scheduled_service/main.tf
+++ b/tf/modules/scheduled_service/main.tf
@@ -148,6 +148,7 @@ resource "aws_ecs_task_definition" "scheduled_service" {
       }
     }
   ])
+  task_role_arn      = aws_iam_role.scheduled_service_task.arn
   execution_role_arn = aws_iam_role.scheduled_service_task.arn
   tags               = var.tags
   track_latest       = true

From 20b309aa76fd76ef67eaa0a7b088321b543a9024 Mon Sep 17 00:00:00 2001
From: Aaron Gibson <aagbsn@extc.org>
Date: Wed, 17 Jun 2026 16:15:32 +0200
Subject: [PATCH 28/28] WIP: use the bucket from ticket
 https://github.com/ooni/devops/issues/398

---
 tf/environments/dev/main.tf | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index 46347e81..9f60b731 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -354,6 +354,10 @@ resource "aws_s3_bucket" "ooniprobe_failed_reports" {
   bucket = "ooniprobe-failed-reports-${var.aws_region}"
 }
 
+data "aws_s3_bucket" "ooniprobe_failed_reports_2026_04_10" {
+  bucket = "ooniprobe-failed-reports-eu-central-1-1d24426a"
+}
+
 resource "aws_s3_bucket" "ooniapi_codepipeline_bucket" {
   bucket = "codepipeline-ooniapi-${var.aws_region}-${random_id.artifact_id.hex}"
 }
@@ -971,7 +975,7 @@ module "reuploader" {
   task_environment = {
     AWS_REGION                  = var.aws_region
     BATCH_SIZE                  = 10
-    S3_BUCKET_NAME              = aws_s3_bucket.ooniprobe_failed_reports.bucket
+    S3_BUCKET_NAME              = data.aws_s3_bucket.ooniprobe_failed_reports_2026_04_10.bucket
     DRY_RUN                     = true
     FASTPATH_API                = "http://${local.fastpath_hosts[length(local.fastpath_hosts) - 1]}:8472"
   }
@@ -1001,13 +1005,13 @@ resource "aws_iam_role_policy" "reuploader_role" {
         Sid    = ""
         Effect = "Allow"
         Action = ["s3:GetObject"]
-        Resource = "${aws_s3_bucket.ooniprobe_failed_reports.arn}/*"
+        Resource = "${data.aws_s3_bucket.ooniprobe_failed_reports_2026_04_10.arn}/*"
      },
      {
        Sid    = ""
        Effect = "Allow"
        Action = ["s3:ListBucket"]
-       Resource = aws_s3_bucket.ooniprobe_failed_reports.arn
+       Resource = data.aws_s3_bucket.ooniprobe_failed_reports_2026_04_10.arn
      }
    ]
   })