Move comparison to separate script

bogsi17 · bogsi17 · commit ef98e619592d · 2025-05-27T11:14:49.000+01:00
diff --git a/.github/workflows/deploy-infrastructure.yml b/.github/workflows/deploy-infrastructure.yml
@@ -67,17 +67,8 @@ jobs:
       - name: Compare permissions
         id: compare-permissions
         run: |
-          VERSION_ID=$(aws iam get-policy --policy-arn arn:aws:iam::${{ env.aws_account_id }}:policy/DeployMavisResources --query 'Policy.DefaultVersionId' --output text)
-          DEPLOYED_POLICY=$(aws iam get-policy-version --policy-arn arn:aws:iam::${{ env.aws_account_id }}:policy/DeployMavisResources --version-id $VERSION_ID --query 'PolicyVersion.Document' --output json)
-          echo "fetched deployed policy: $DEPLOYED_POLICY"
-          POLICY_DIFF=$(diff <(echo "$DEPLOYED_POLICY" | jq --sort-keys .) <(jq --sort-keys . ../resources/github_actions_policy.json))
-          echo "Policy diff: $POLICY_DIFF"
-          if [ -n "$POLICY_DIFF" ]; then
-            echo "Policy mismatch detected: $POLICY_DIFF"
-            echo "policy_mismatch=true" >> $GITHUB_OUTPUT
-          else
-            echo "No policy mismatch detected"
-          fi
+          set -e
+          ./../scripts/validate-github-actions-policy.sh arn:aws:iam::${{ env.aws_account_id }}:policy/DeployMavisResources ../resources/github_actions_policy.json
 
   update-permissions:
     name: Update permissions
@@ -100,13 +91,13 @@ jobs:
       - name: Update IAM policy
         run: |
           set -e
-          ./../scripts/update-github-actions-policy.sh arn:aws:iam::${{ env.aws_role }}:policy/DeployMavisResources ../resources/github_actions_policy.json
+          ./../scripts/update-github-actions-policy.sh arn:aws:iam::${{ env.aws_account_id }}:policy/DeployMavisResources ../resources/github_actions_policy.json
 
   plan:
     name: Terraform plan
     runs-on: ubuntu-latest
-    needs: update-permissions
-    if: always()
+    needs: [validate-permissions, update-permissions]
+    if: needs.update-permissions.result == 'success' || needs.validate-permissions.outputs.policy-mismatch == 'false'
     permissions:
       id-token: write
     steps:
diff --git a/terraform/scripts/validate-github-actions-policy.sh b/terraform/scripts/validate-github-actions-policy.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 <policy-arn> <policy-file>"
+    exit 1
+fi
+
+POLICY_ARN=$1
+POLICY_FILE=$2
+
+VERSION_ID=$(aws iam get-policy --policy-arn "$POLICY_ARN" --query 'Policy.DefaultVersionId' --output text)
+aws iam get-policy-version --policy-arn "$POLICY_ARN" --version-id "$VERSION_ID" --query 'PolicyVersion.Document' --output json > deployed_policy.json
+echo "fetched deployed policy: $(cat deployed_policy.json)"
+
+jq -S . deployed_policy.json > deployed_policy_sorted.json
+jq -S . "$POLICY_FILE" > github_actions_policy_sorted.json
+
+POLICY_DIFF=$(diff --unified deployed_policy_sorted.json github_actions_policy_sorted.json)
+echo "Policy diff: $POLICY_DIFF"
+if [ -n "$POLICY_DIFF" ]; then
+  echo "Policy mismatch detected: $POLICY_DIFF"
+  echo "policy_mismatch=true" >> "$GITHUB_OUTPUT"
+else
+  echo "No policy mismatch detected"
+fi
