Split validation and update

bogsi17 · bogsi17 · commit ac8c5ca14c22 · 2025-05-27T10:46:50.000+01:00
diff --git a/.github/workflows/deploy-infrastructure.yml b/.github/workflows/deploy-infrastructure.yml
@@ -47,9 +47,44 @@ defaults:
     working-directory: terraform/app
 
 jobs:
-  plan:
-    name: Terraform plan
+  validate-permissions:
+    name: Validate permissions
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    outputs:
+      policy-mismatch: ${{ steps.compare-permissions.outputs.policy_mismatch }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.image_tag || github.sha }}
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws_role }}
+          aws-region: eu-west-2
+      - name: Compare permissions
+        id: compare-permissions
+        run: |
+          VERSION_ID=$(aws iam get-policy --policy-arn arn:aws:iam::${{ env.aws_account_id }}:policy/DeployMavisResources --query 'Policy.DefaultVersionId' --output text)
+          DEPLOYED_POLICY=$(aws iam get-policy-version --policy-arn arn:aws:iam::${{ env.aws_account_id }}:policy/DeployMavisResources --version-id $VERSION_ID --query 'PolicyVersion.Document' --output json)
+          echo "fetched deployed policy: $DEPLOYED_POLICY"
+          POLICY_DIFF=$(diff <(echo "$DEPLOYED_POLICY" | jq --sort-keys .) <(jq --sort-keys . ../resources/github_actions_policy.json))
+          echo "Policy diff: $POLICY_DIFF"
+          if [ -n "$POLICY_DIFF" ]; then
+            echo "Policy mismatch detected: $POLICY_DIFF"
+            echo "policy_mismatch=true" >> $GITHUB_OUTPUT
+          else
+            echo "No policy mismatch detected"
+          fi
+
+  update-permissions:
+    name: Update permissions
     runs-on: ubuntu-latest
+    needs: validate-permissions
+    if: inputs.environment == 'sandbox-beta' && needs.validate-permissions.outputs.policy-mismatch == 'true'
+    environment: ${{ inputs.environment }}
     permissions:
       id-token: write
     steps:
@@ -66,6 +101,24 @@ jobs:
         run: |
           set -e
           ./../scripts/update-github-actions-policy.sh arn:aws:iam::${{ env.aws_role }}:policy/DeployMavisResources ../resources/github_actions_policy.json
+
+  plan:
+    name: Terraform plan
+    runs-on: ubuntu-latest
+    needs: update-permissions
+    if: always()
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.image_tag || github.sha }}
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws_role }}
+          aws-region: eu-west-2
       - name: Set image tag
         run: |
           IMAGE_TAG="${{ inputs.image_tag || github.sha }}"
diff --git a/terraform/resources/github_actions_policy.json b/terraform/resources/github_actions_policy.json
@@ -5,6 +5,7 @@
       "Sid": "Statement1",
       "Effect": "Allow",
       "Action": [
+        "acm:DescribeCertificate",
         "acm:DeleteCertificate",
         "acm:RequestCertificate",
         "application-autoscaling:DeleteScalingPolicy",
