From 509934895dd2a6b91a24140a2cd500a61ea30713 Mon Sep 17 00:00:00 2001
From: jameslaneovermind <122231433+jameslaneovermind@users.noreply.github.com>
Date: Wed, 29 Oct 2025 16:41:53 +0000
Subject: [PATCH 1/3] Add CI fix: disable state locking

Copy the CI workflow fix from main to enable reliable CI runs without state lock conflicts.
---
 .github/workflows/automatic.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/automatic.yml b/.github/workflows/automatic.yml
index 68ff24d..c255fe9 100644
--- a/.github/workflows/automatic.yml
+++ b/.github/workflows/automatic.yml
@@ -78,7 +78,7 @@ jobs:
         id: plan
         run: |
           set -o pipefail -ex
-          terraform plan -compact-warnings -no-color -input=false -lock-timeout=5m -out tfplan 2>&1 \
+          terraform plan -compact-warnings -no-color -input=false -lock=false -out tfplan 2>&1 \
             | tee terraform_log
           terraform show -json tfplan > tfplan.json
 
@@ -154,7 +154,7 @@ jobs:
         id: plan-cost
         run: |
           set -o pipefail -ex
-          terraform plan -compact-warnings -no-color -input=false -lock-timeout=5m -out tfplan-cost 2>&1
+          terraform plan -compact-warnings -no-color -input=false -lock=false -out tfplan-cost 2>&1
           terraform show -json tfplan-cost > tfplan-cost.json
 
       - uses: overmindtech/cost-signals-action@v1

From 8d4fcb802652b34719dca8ce5b70db588b2cd000 Mon Sep 17 00:00:00 2001
From: jameslaneovermind <122231433+jameslaneovermind@users.noreply.github.com>
Date: Fri, 31 Oct 2025 09:46:36 +0000
Subject: [PATCH 2/3] Disable DNS failover and route ALB listener to empty
 target group

This change simulates the AWS DNS outage scenario by:

1. Creating a blackhole target group with no registered targets
2. Updating ALB listener to forward all traffic to the empty target group
3. Adding Route53 DNS record with no failover capability and disabled health checks

This mimics the scenario where DNS endpoint resolves but has no healthy
backends, causing immediate 503 errors and service unavailability. The
change removes failover protection and routes traffic to a target group
with zero healthy targets.

Impact: High - complete service outage, no automatic failover capability
---
 .../memory-optimization/networking.tf         | 35 +++++++++++++++----
 .../scenarios/memory-optimization/outputs.tf  | 10 ++++++
 modules/scenarios/route53_blackhole.tf        | 28 +++++++++++++++
 3 files changed, 67 insertions(+), 6 deletions(-)
 create mode 100644 modules/scenarios/route53_blackhole.tf

diff --git a/modules/scenarios/memory-optimization/networking.tf b/modules/scenarios/memory-optimization/networking.tf
index 488c826..4f0528f 100644
--- a/modules/scenarios/memory-optimization/networking.tf
+++ b/modules/scenarios/memory-optimization/networking.tf
@@ -58,6 +58,34 @@ resource "aws_lb_target_group" "app" {
   })
 }
 
+# Blackhole Target Group - Empty target group for DNS outage simulation
+resource "aws_lb_target_group" "blackhole" {
+  count       = var.enabled ? 1 : 0
+  name        = "${local.name_prefix}-tg-blackhole"
+  port        = var.application_port
+  protocol    = "HTTP"
+  vpc_id      = local.vpc_id
+  target_type = "ip"
+
+  health_check {
+    enabled             = true
+    healthy_threshold   = 5
+    unhealthy_threshold = 2
+    timeout             = 5
+    interval            = 60
+    path                = "/"
+    matcher             = "200"
+    port                = "traffic-port"
+    protocol            = "HTTP"
+  }
+
+  tags = merge(local.common_tags, {
+    Name    = "${local.name_prefix}-tg-blackhole"
+    Purpose = "risk-test"
+    Mode    = "blackhole"
+  })
+}
+
 # ALB Listener
 resource "aws_lb_listener" "app" {
   count             = var.enabled ? 1 : 0
@@ -67,12 +95,7 @@ resource "aws_lb_listener" "app" {
 
   default_action {
     type             = "forward"
-    
-    forward {
-      target_group {
-        arn = aws_lb_target_group.app[0].arn
-      }
-    }
+    target_group_arn = aws_lb_target_group.blackhole[0].arn
   }
 
   tags = merge(local.common_tags, {
diff --git a/modules/scenarios/memory-optimization/outputs.tf b/modules/scenarios/memory-optimization/outputs.tf
index 7ea771e..d38bc6e 100644
--- a/modules/scenarios/memory-optimization/outputs.tf
+++ b/modules/scenarios/memory-optimization/outputs.tf
@@ -7,6 +7,16 @@ output "alb_url" {
   value       = var.enabled ? "http://${aws_lb.app[0].dns_name}" : null
 }
 
+output "alb_dns_name" {
+  description = "DNS name of the ALB"
+  value       = var.enabled ? aws_lb.app[0].dns_name : null
+}
+
+output "alb_zone_id" {
+  description = "Zone ID of the ALB"
+  value       = var.enabled ? aws_lb.app[0].zone_id : null
+}
+
 output "demo_status" {
   description = "Object showing current vs required memory, cost calculations, and risk assessment"
   value = var.enabled ? {
diff --git a/modules/scenarios/route53_blackhole.tf b/modules/scenarios/route53_blackhole.tf
new file mode 100644
index 0000000..974001b
--- /dev/null
+++ b/modules/scenarios/route53_blackhole.tf
@@ -0,0 +1,28 @@
+# Route53 DNS record for blackhole scenario testing
+# This simulates DNS endpoint going dark by pointing to ALB with empty target group
+# No failover, no health checks - mimics AWS DNS outage scenario
+
+resource "aws_route53_record" "blackhole" {
+  count   = var.enable_memory_optimization_demo ? 1 : 0
+  zone_id = data.aws_route53_zone.demo.zone_id
+  name    = "blackhole-${var.example_env}.${data.aws_route53_zone.demo.name}"
+  type    = "A"
+
+  alias {
+    name                   = module.memory_optimization.alb_dns_name
+    zone_id                = module.memory_optimization.alb_zone_id
+    evaluate_target_health = false
+  }
+
+  # TTL is ignored for alias records but included for documentation
+  # High TTL (300s = 5 minutes) indicates no failover capability
+  # No health check evaluation - mimics DNS endpoint going dark
+
+  tags = {
+    Name      = "blackhole-dns-record"
+    RiskTest  = "dns-blackhole"
+    Failover  = "disabled"
+    Purpose   = "simulate-endpoint-going-dark"
+  }
+}
+

From 469622b34b6b4f80d5326542211ae18dc72cbe53 Mon Sep 17 00:00:00 2001
From: jameslaneovermind <122231433+jameslaneovermind@users.noreply.github.com>
Date: Fri, 31 Oct 2025 09:52:42 +0000
Subject: [PATCH 3/3] Fix Route53 record: remove unsupported tags argument

Route53 records don't support tags directly. Removed the tags block to fix
terraform validate error. The DNS record itself still functions correctly for
the blackhole scenario testing.
---
 modules/scenarios/route53_blackhole.tf | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/modules/scenarios/route53_blackhole.tf b/modules/scenarios/route53_blackhole.tf
index 974001b..41e2480 100644
--- a/modules/scenarios/route53_blackhole.tf
+++ b/modules/scenarios/route53_blackhole.tf
@@ -17,12 +17,6 @@ resource "aws_route53_record" "blackhole" {
   # TTL is ignored for alias records but included for documentation
   # High TTL (300s = 5 minutes) indicates no failover capability
   # No health check evaluation - mimics DNS endpoint going dark
-
-  tags = {
-    Name      = "blackhole-dns-record"
-    RiskTest  = "dns-blackhole"
-    Failover  = "disabled"
-    Purpose   = "simulate-endpoint-going-dark"
-  }
+  # Note: Route53 records don't support tags directly
 }