Allow fetching module in GitHub workflow

bogsi17 · bogsi17 · commit e649c08b02be · 2025-05-16T10:49:12.000+01:00
* Adding a personal access token as repository secret
* Fetch the module via https
diff --git a/.github/workflows/deploy-backup-infrastructure.yml b/.github/workflows/deploy-backup-infrastructure.yml
@@ -1,4 +1,4 @@
-name: Deploy Backup vault infrastructure
+name: Deploy backup vault infrastructure
 run-name: Deploy backup vault infrastructure for ${{ inputs.environment }}
 
 on:
@@ -46,8 +46,11 @@ jobs:
           terraform_version: 1.10.5
       - name: Terraform Plan
         id: plan
+        env:
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.BACKUP_MODULES_ACCESS_TOKEN }}
         run: |
           set -e
+          git config --global url."https://foo:${PERSONAL_ACCESS_TOKEN}@github.com/NHSDigital".insteadOf "https://github.com/NHSDigital"
           terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
           terraform plan -var-file="env/${{ inputs.environment }}.tfvars" \
           -out ${{ runner.temp }}/tfplan | tee ${{ runner.temp }}/tf_stdout
@@ -86,7 +89,10 @@ jobs:
         with:
           terraform_version: 1.10.5
       - name: Apply the changes
+        env:
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.BACKUP_MODULES_ACCESS_TOKEN }}
         run: |
           set -e
+          git config --global url."https://foo:${PERSONAL_ACCESS_TOKEN}@github.com/NHSDigital".insteadOf "https://github.com/NHSDigital"
           terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
           terraform apply ${{ runner.temp }}/tfplan
diff --git a/terraform/backup/README.md b/terraform/backup/README.md
@@ -6,7 +6,7 @@ provided by NHSDigital in https://github.com/NHSDigital/terraform-aws-backup.
 ## Usage
 
 The `source` directory contains the configuration to be applied in the main AWS account where the app is running.
-It is set up with the `terraform-backup-module.yml` GitHub Action workflow.
+It is set up with the `deploy-backup-infrastructure.yml` GitHub Action workflow.
 
 The `destination` directory contains the configuration to be applied in a different AWS account that stores the backup of the backup.
 It will rarely change. In case of changes, terraform needs to be run manually.
@@ -18,8 +18,18 @@ To set up the backup infrastructure from scratch, follow these steps:
    It returns the ARN of the destination vault that is created.
 3. Put the ARN of the destination vault in the \*.tfvars file in the `source` directory.
 4. Create an AWS policy based on the `aws-backup-policy.json` file.
-   This policy should be attached to the IAM role that is used by the `terraform-backup-module.yml` GitHub Action workflow.
-5. Set up the **source** account by running the `terraform-backup-module.yml` GitHub Action workflow.
+   This policy should be attached to the IAM role that is used by the `deploy-backup-infrastructure.yml` GitHub Action workflow.
+5. Set up the **source** account by running the `deploy-backup-infrastructure.yml` GitHub Action workflow.
+
+### Personal Access Token
+
+The `deploy-backup-infrastructure.yml` GitHub Action workflow requires a personal access token to be set in the repository secrets to be able to fetch the terraform module.
+This token has a limited lifetime. If it has expired, create a new fine-grained personal access token as described in the [GitHub documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-fine-grained-personal-access-token)
+and add it as repository secret.
+
+- Resource Owner: NHS Digital
+- Repository access: terraform-aws-backup
+- Permissions: read-only Content
 
 ## Disaster Recovery
 
diff --git a/terraform/backup/source/main.tf b/terraform/backup/source/main.tf
@@ -116,7 +116,7 @@ resource "aws_kms_key" "backup_notifications" {
 # Now we can deploy the source and destination modules, referencing the resources we've created above.
 
 module "source" {
-  source = "git@github.com:NHSDigital/terraform-aws-backup.git//modules/aws-backup-source?ref=v1.1.0"
+  source = "github.com/NHSDigital/terraform-aws-backup.git//modules/aws-backup-source?ref=v1.1.0"
 
   backup_copy_vault_account_id = local.destination_account_id
   backup_copy_vault_arn        = var.destination_vault_arn
