Merge remote-tracking branch 'origin/main' into PRMP-739

# Conflicts:
#	base_iam/iam_github_dev.tf
#	base_iam/iam_github_pre-prod.tf
#	base_iam/policy_tool.py

Author: PedroSoaresNHS

.github/actions/tf-plan-apply/action.yml

@@ -42,6 +42,11 @@ inputs:
     required: false
     default: ""
 
+  tf_lock_timeout:
+    description: "Time to wait for Terraform state lock (e.g., 20m)"
+    required: false
+    default: "20m"
+
   do_apply:
     description: "Whether to run 'terraform apply' after 'terraform plan'"
     required: false
@@ -81,12 +86,12 @@ runs:
 
     - name: Run Terraform Plan
       run: |
-        terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.tf_extra_args }} -out tf.plan
+        terraform plan -lock-timeout="${{ inputs.tf_lock_timeout }}" -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.tf_extra_args }} -out tf.plan
       working-directory: ${{ inputs.working_directory }}
       shell: bash
 
     - name: Run Terraform Apply
       if: ${{ inputs.do_apply == 'true' }}
-      run: terraform apply -auto-approve -input=false tf.plan
+      run: terraform apply -lock-timeout="${{ inputs.tf_lock_timeout }}" -auto-approve -input=false tf.plan
       working-directory: ${{ inputs.working_directory }}
       shell: bash

.github/workflows/cron-tear-down-sandbox.yml

@@ -2,7 +2,7 @@ name: 'Z-CRON: Tear down - Sandboxes'
 
 on:
   schedule:
-    - cron: 59 18-21 * * 1-5 # utc time
+    - cron: 59 18,20,22 * * 1-5 # utc time
 
 permissions:
   pull-requests: write

.github/workflows/deploy-pre-prod.yml

@@ -44,8 +44,8 @@ jobs:
         run: |
           echo Tag to deploy: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }}
 
-  terraform_plan_apply:
-    name: Terraform Plan/Apply (pre-prod)
+  terraform_plan_apply_base_iam:
+    name: Terraform Plan/Apply base-iam (pre-prod)
     runs-on: ubuntu-latest
     needs: ["tag_main"]
     environment: pre-prod
@@ -56,43 +56,38 @@ jobs:
           ref: ${{ needs.tag_main.outputs.version }}
           fetch-depth: "0"
 
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-          role-skip-session-tagging: true
-          aws-region: ${{ vars.AWS_REGION }}
-          mask-aws-account-id: true
-
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+      - name: Apply base_iam
+        uses: ./.github/actions/tf-plan-apply
         with:
-          terraform_version: 1.14.3
-          terraform_wrapper: false
-
-      - name: Initialise Terraform
-        id: init
-        run: terraform init -backend-config=backend-pre-prod.conf
-        working-directory: ./infrastructure
-        shell: bash
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/pre-prod-github-bootstrap
+          bucket_prefix: "pre-prod"
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          working_directory: "./base_iam"  # Use separate base_iam directory
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}
+          tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}"
 
-      - name: Select Terraform Workspace
-        id: workspace
-        run: terraform workspace select ${{ secrets.AWS_WORKSPACE }}
-        working-directory: ./infrastructure
-        shell: bash
 
-      - name: Check Terraform Formatting
-        run: terraform fmt -check
-        working-directory: ./infrastructure
-
-      - name: Run Terraform Plan
-        id: plan
-        run: |
-          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
-        working-directory: ./infrastructure
-        shell: bash
+  terraform_plan_apply:
+    name: Terraform Plan/Apply infrastructure (pre-prod)
+    runs-on: ubuntu-latest
+    needs: ["tag_main", "terraform_plan_apply_base_iam"]
+    environment: pre-prod
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.tag_main.outputs.version }}
+          fetch-depth: "0"
 
-      - name: Run Terraform Apply
-        run: terraform apply -auto-approve -input=false tf.plan
-        working-directory: ./infrastructure
+      - name: Apply Main
+        uses: ./.github/actions/tf-plan-apply
+        with:
+          # use newly updated role
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/pre-prod-github-actions-role
+          bucket_prefix: "pre-prod"
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}

.github/workflows/tear-down-sandbox.yml

@@ -54,7 +54,7 @@ jobs:
       sandbox_name: ${{ inputs.sandbox_name }}
       environment: ${{ inputs.environment }}
     secrets:
-      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+      AWS_ASSUME_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role
 
   cleanup_versions:
     name: Cleanup Versions
@@ -64,7 +64,7 @@ jobs:
       sandbox_name: ${{ inputs.sandbox_name }}
       environment: ${{ inputs.environment }}
     secrets:
-      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+      AWS_ASSUME_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role
 
   terraform_destroy:
     name: Terraform Destroy
@@ -90,7 +90,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v5
         with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role
           aws-region: ${{ vars.AWS_REGION }}
           mask-aws-account-id: true