[Question] How is an allowlist entry removed from settings table when the expiration date is reached?

[atqhg23]

Hi, I'm currently looking into a case where a resource was shown as being part of the allowlist in the dry run exec log, but a few days later, when the destroy run took place, the resource was deleted. I'm assuming that the whitelist entry expired between when the dry run took place and when the destroy run took place. I'm not able to find any events in CloudTrail of when the allowlist entry was created and the API logs have been deleted due to the log group retention period. I'm currently checking to see if there are any events of when the DynamoDB item was deleted, and had a few questions about the allowlist entry expiration if you have some time:

• How is an allowlist entry removed from settings table when the expiration date is reached?
• Where is the code that manages the allowlist expiration? Checking this on my end as well.

[mlevit]

Hey @atqhg23. The allowlist utilises DynamoDBs TTL feature. Simply put, once the current date is greater than the expiration date of the resource in the allowlist, DynamoDB will automatically remove the entry from the allowlist.