From f3ad339cf5827f75c61043251f4c93395b50641f Mon Sep 17 00:00:00 2001
From: Jun-te Kim <juntekim@googlemail.com>
Date: Tue, 2 Jun 2026 09:36:31 +0000
Subject: [PATCH] if you change the descript it destories and make a new one
 instead of edit

---
 deployment/terraform/shared/main.tf | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/deployment/terraform/shared/main.tf b/deployment/terraform/shared/main.tf
index cfd88e6f..82a3820a 100644
--- a/deployment/terraform/shared/main.tf
+++ b/deployment/terraform/shared/main.tf
@@ -512,8 +512,12 @@ module "landlord_description_overrides_registry" {
 module "landlord_overrides_s3_read" {
   source = "../modules/s3_iam_policy"
 
-  policy_name        = "LandlordOverridesReadS3"
-  policy_description = "Allow landlord description overrides Lambda to read the original upload CSV from retrofit-plan-inputs (and retrofit-data) bucket"
+  policy_name = "LandlordOverridesReadS3"
+  # NOTE: aws_iam_policy.description is ForceNew — changing it destroys+recreates the
+  # policy, which deadlocks because the policy is attached to the lambda role in the
+  # separate landlordDescriptionOverrides stack (DeleteConflict). Keep this string
+  # byte-for-byte identical to what's in state so the bucket change applies in-place.
+  policy_description = "Allow landlord description overrides Lambda to read from retrofit-data bucket"
   bucket_arns = [
     "arn:aws:s3:::retrofit-plan-inputs-${var.stage}",
     "arn:aws:s3:::retrofit-data-${var.stage}",