Skip to content

Commit fc1d453

Browse files
Merge remote-tracking branch 'origin/main' into PRMP-739
# Conflicts: # base_iam/iam_github_dev.tf # base_iam/iam_github_pre-prod.tf # base_iam/policy_tool.py
2 parents 815d1c7 + 8167071 commit fc1d453

22 files changed

+2239
-62
lines changed

.github/actions/tf-plan-apply/action.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,11 @@ inputs:
4242
required: false
4343
default: ""
4444

45+
tf_lock_timeout:
46+
description: "Time to wait for Terraform state lock (e.g., 20m)"
47+
required: false
48+
default: "20m"
49+
4550
do_apply:
4651
description: "Whether to run 'terraform apply' after 'terraform plan'"
4752
required: false
@@ -81,12 +86,12 @@ runs:
8186

8287
- name: Run Terraform Plan
8388
run: |
84-
terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.tf_extra_args }} -out tf.plan
89+
terraform plan -lock-timeout="${{ inputs.tf_lock_timeout }}" -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.tf_extra_args }} -out tf.plan
8590
working-directory: ${{ inputs.working_directory }}
8691
shell: bash
8792

8893
- name: Run Terraform Apply
8994
if: ${{ inputs.do_apply == 'true' }}
90-
run: terraform apply -auto-approve -input=false tf.plan
95+
run: terraform apply -lock-timeout="${{ inputs.tf_lock_timeout }}" -auto-approve -input=false tf.plan
9196
working-directory: ${{ inputs.working_directory }}
9297
shell: bash

.github/workflows/cron-tear-down-sandbox.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ name: 'Z-CRON: Tear down - Sandboxes'
22

33
on:
44
schedule:
5-
- cron: 59 18-21 * * 1-5 # utc time
5+
- cron: 59 18,20,22 * * 1-5 # utc time
66

77
permissions:
88
pull-requests: write

.github/workflows/deploy-pre-prod.yml

Lines changed: 33 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -44,8 +44,8 @@ jobs:
4444
run: |
4545
echo Tag to deploy: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }}
4646
47-
terraform_plan_apply:
48-
name: Terraform Plan/Apply (pre-prod)
47+
terraform_plan_apply_base_iam:
48+
name: Terraform Plan/Apply base-iam (pre-prod)
4949
runs-on: ubuntu-latest
5050
needs: ["tag_main"]
5151
environment: pre-prod
@@ -56,43 +56,38 @@ jobs:
5656
ref: ${{ needs.tag_main.outputs.version }}
5757
fetch-depth: "0"
5858

59-
- name: Configure AWS Credentials
60-
uses: aws-actions/configure-aws-credentials@v5
61-
with:
62-
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
63-
role-skip-session-tagging: true
64-
aws-region: ${{ vars.AWS_REGION }}
65-
mask-aws-account-id: true
66-
67-
- name: Setup Terraform
68-
uses: hashicorp/setup-terraform@v3
59+
- name: Apply base_iam
60+
uses: ./.github/actions/tf-plan-apply
6961
with:
70-
terraform_version: 1.14.3
71-
terraform_wrapper: false
72-
73-
- name: Initialise Terraform
74-
id: init
75-
run: terraform init -backend-config=backend-pre-prod.conf
76-
working-directory: ./infrastructure
77-
shell: bash
62+
aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/pre-prod-github-bootstrap
63+
bucket_prefix: "pre-prod"
64+
aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
65+
aws_region: ${{ vars.AWS_REGION }}
66+
working_directory: "./base_iam" # Use separate base_iam directory
67+
workspace: ${{ secrets.AWS_WORKSPACE }}
68+
tf_vars_file: ${{ vars.TF_VARS_FILE }}
69+
tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}"
7870

79-
- name: Select Terraform Workspace
80-
id: workspace
81-
run: terraform workspace select ${{ secrets.AWS_WORKSPACE }}
82-
working-directory: ./infrastructure
83-
shell: bash
8471

85-
- name: Check Terraform Formatting
86-
run: terraform fmt -check
87-
working-directory: ./infrastructure
88-
89-
- name: Run Terraform Plan
90-
id: plan
91-
run: |
92-
terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
93-
working-directory: ./infrastructure
94-
shell: bash
72+
terraform_plan_apply:
73+
name: Terraform Plan/Apply infrastructure (pre-prod)
74+
runs-on: ubuntu-latest
75+
needs: ["tag_main", "terraform_plan_apply_base_iam"]
76+
environment: pre-prod
77+
steps:
78+
- name: Checkout main
79+
uses: actions/checkout@v6
80+
with:
81+
ref: ${{ needs.tag_main.outputs.version }}
82+
fetch-depth: "0"
9583

96-
- name: Run Terraform Apply
97-
run: terraform apply -auto-approve -input=false tf.plan
98-
working-directory: ./infrastructure
84+
- name: Apply Main
85+
uses: ./.github/actions/tf-plan-apply
86+
with:
87+
# use newly updated role
88+
aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/pre-prod-github-actions-role
89+
bucket_prefix: "pre-prod"
90+
aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
91+
aws_region: ${{ vars.AWS_REGION }}
92+
workspace: ${{ secrets.AWS_WORKSPACE }}
93+
tf_vars_file: ${{ vars.TF_VARS_FILE }}

.github/workflows/tear-down-sandbox.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ jobs:
5454
sandbox_name: ${{ inputs.sandbox_name }}
5555
environment: ${{ inputs.environment }}
5656
secrets:
57-
AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
57+
AWS_ASSUME_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role
5858

5959
cleanup_versions:
6060
name: Cleanup Versions
@@ -64,7 +64,7 @@ jobs:
6464
sandbox_name: ${{ inputs.sandbox_name }}
6565
environment: ${{ inputs.environment }}
6666
secrets:
67-
AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
67+
AWS_ASSUME_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role
6868

6969
terraform_destroy:
7070
name: Terraform Destroy
@@ -90,7 +90,7 @@ jobs:
9090
- name: Configure AWS Credentials
9191
uses: aws-actions/configure-aws-credentials@v5
9292
with:
93-
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
93+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role
9494
aws-region: ${{ vars.AWS_REGION }}
9595
mask-aws-account-id: true
9696

0 commit comments

Comments
 (0)