Merge branch 'main' into PRMP-1499

Author: NogaNHS

.github/workflows/cron-tear-down-test.yml

@@ -18,7 +18,7 @@ jobs:
       sandbox_name: ndr-test
       environment: test
     secrets:
-      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+      AWS_ASSUME_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role
 
   cleanup_versions:
     name: Cleanup Versions
@@ -28,7 +28,7 @@ jobs:
       sandbox_name: ndr-test
       environment: test
     secrets:
-      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+      AWS_ASSUME_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role
 
   terraform_destroy_process:
     name: Destroy Test Environment
@@ -48,11 +48,12 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v6
         with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role
           role-skip-session-tagging: true
           aws-region: ${{ vars.AWS_REGION }}
           mask-aws-account-id: true
 
+
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v4
         with:
@@ -100,3 +101,38 @@ jobs:
         id: destroy
         run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}"
         working-directory: ./infrastructure
+
+  terraform_destroy_base_iam:
+    name: Terraform Destroy base_iam
+    runs-on: ubuntu-latest
+    needs: [terraform_destroy_process]
+    environment: test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: main
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/test-github-bootstrap
+          aws-region: ${{ vars.AWS_REGION }}
+          mask-aws-account-id: true
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.14.3
+
+      - name: Initialise Terraform
+        run: terraform init -backend-config=bucket=${{ secrets.AWS_WORKSPACE }}-terraform-state-${{ secrets.AWS_ACCOUNT_ID }}
+        working-directory: ./base_iam
+
+      - name: Select Terraform Workspace
+        run: terraform workspace select ${{ secrets.AWS_WORKSPACE }}
+        working-directory: ./base_iam
+
+      - name: Run Terraform Destroy
+        run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" -var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}
+        working-directory: ./base_iam

.github/workflows/deploy-pre-prod.yml

@@ -1,6 +1,6 @@
 name: "Deploy - Pre-prod"
 
-run-name: "${{ github.event.inputs.branch_or_tag }}"
+run-name: "${{ inputs.branch_or_tag }}"
 
 on:
   workflow_dispatch:
@@ -21,18 +21,18 @@ jobs:
     name: Tag main
     runs-on: ubuntu-latest
     outputs:
-      version: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }}
+      version: ${{ steps.versioning.outputs.tag || inputs.branch_or_tag }}
     permissions: write-all
     steps:
       - name: Checkout main
-        if: ${{ github.event.inputs.branch_or_tag == 'main' }}
+        if: ${{ inputs.branch_or_tag == 'main' }}
         uses: actions/checkout@v6
         with:
           ref: main
           fetch-depth: "0"
 
       - name: Bump version and push tag
-        if: ${{ github.event.inputs.branch_or_tag == 'main' }}
+        if: ${{ inputs.branch_or_tag == 'main' }}
         id: versioning
         uses: anothrNick/github-tag-action@1.64.0
         env:
@@ -42,7 +42,7 @@ jobs:
 
       - name: View outputs
         run: |
-          echo Tag to deploy: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }}
+          echo Tag to deploy: ${{ steps.versioning.outputs.tag || inputs.branch_or_tag }}
 
   terraform_plan_apply_base_iam:
     name: Terraform Plan/Apply base-iam (pre-prod)

.github/workflows/deploy-prod.yml

@@ -1,6 +1,6 @@
 name: "Deploy - Prod"
 
-run-name: "${{ github.event.inputs.git_tag }}"
+run-name: "${{ inputs.git_tag }}"
 
 on:
   workflow_dispatch:
@@ -16,54 +16,48 @@ permissions:
   contents: read # This is required for actions/checkout
 
 jobs:
-  terraform_plan_apply:
-    name: Terraform Plan/Apply (prod)
+  terraform_plan_apply_base_iam:
+    name: Terraform Plan/Apply base-iam (prod)
     runs-on: ubuntu-latest
     environment: prod
     steps:
-      - name: Checkout Tag
+      - name: Checkout
         uses: actions/checkout@v6
         with:
           ref: refs/tags/${{ github.event.inputs.git_tag}}
           fetch-depth: "0"
 
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+      - name: Apply base_iam
+        uses: ./.github/actions/tf-plan-apply
         with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-          role-skip-session-tagging: true
-          aws-region: ${{ vars.AWS_REGION }}
-          mask-aws-account-id: true
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/prod-github-bootstrap
+          bucket_prefix: "prod"
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          working_directory: "./base_iam"  # Use separate base_iam directory
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}
+          tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}"
 
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v4
+  terraform_plan_apply:
+    name: Terraform Plan/Apply (prod)
+    needs: ["terraform_plan_apply_base_iam"]
+    runs-on: ubuntu-latest
+    environment: prod
+    steps:
+      - name: Checkout Tag
+        uses: actions/checkout@v6
         with:
-          terraform_version: 1.14.6
-          terraform_wrapper: false
-
-      - name: Initialise Terraform
-        id: init
-        run: terraform init -backend-config=backend-prod.conf
-        working-directory: ./infrastructure
-        shell: bash
-
-      - name: Select Terraform Workspace
-        id: workspace
-        run: terraform workspace select ${{ secrets.AWS_WORKSPACE }}
-        working-directory: ./infrastructure
-        shell: bash
-
-      - name: Check Terraform Formatting
-        run: terraform fmt -check
-        working-directory: ./infrastructure
-
-      - name: Run Terraform Plan
-        id: plan
-        run: |
-          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
-        working-directory: ./infrastructure
-        shell: bash
+          ref: refs/tags/${{ inputs.git_tag}}
+          fetch-depth: "0"
 
-      - name: Run Terraform Apply
-        run: terraform apply -auto-approve -input=false tf.plan
-        working-directory: ./infrastructure
+      - name: Apply Main
+        uses: ./.github/actions/tf-plan-apply
+        with:
+          # use newly updated role
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/prod-github-actions-role
+          bucket_prefix: "prod"
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}

.github/workflows/deploy-test.yml

@@ -1,6 +1,6 @@
 name: "Deploy - Test"
 
-run-name: "${{ github.event.inputs.git_ref }}"
+run-name: "${{ inputs.git_ref }}"
 
 on:
   workflow_dispatch:
@@ -16,54 +16,46 @@ permissions:
   contents: read  # This is required for actions/checkout
 
 jobs:
-  terraform_plan_apply:
-    name: Terraform Plan/Apply (ndr-test)
+  terraform_plan_apply_base_iam:
+    name: Terraform Plan/Apply (base_iam)
     runs-on: ubuntu-latest
     environment: test
     steps:
-      - name: Checkout
+      - name: Checkout branch
         uses: actions/checkout@v6
         with:
-          ref: ${{ github.event.inputs.git_ref}}
+          ref: ${{ inputs.git_ref}}
 
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+      - name: Apply base_iam
+        uses: ./.github/actions/tf-plan-apply
         with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-          role-skip-session-tagging: true
-          aws-region: ${{ vars.AWS_REGION }}
-          mask-aws-account-id: true
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/test-github-bootstrap
+          bucket_prefix: "test"
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          working_directory: "./base_iam"  # Use separate base_iam directory
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}
+          tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}"
 
-      # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v4
+  terraform_plan_apply:
+    name: Terraform Plan/Apply (ndr-test)
+    runs-on: ubuntu-latest
+    needs: terraform_plan_apply_base_iam
+    environment: test
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v6
         with:
-          terraform_version: 1.14.6
-          terraform_wrapper: false
-
-      - name: Initialise Terraform
-        id: init
-        run: terraform init -backend-config=backend-test.conf
-        working-directory: ./infrastructure
-        shell: bash
-
-      - name: Select Terraform Workspace
-        id: workspace
-        run: terraform workspace select -or-create ${{ secrets.AWS_WORKSPACE }}
-        working-directory: ./infrastructure
-        shell: bash
-
-      - name: Check Terraform Formatting
-        run: terraform fmt -check
-        working-directory: ./infrastructure
-
-      - name: Run Terraform Plan
-        id: plan
-        run: |
-          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
-        working-directory: ./infrastructure
-        shell: bash
+          ref: ${{ github.event.inputs.git_ref}}
 
-      - name: Run Terraform Apply
-        run: terraform apply -auto-approve -input=false tf.plan
-        working-directory: ./infrastructure
+      - name: Apply Main
+        uses: ./.github/actions/tf-plan-apply
+        with:
+          # use newly created role
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role
+          bucket_prefix: "test"
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}

.github/workflows/tool-rename-git-tag.yml

@@ -1,6 +1,6 @@
 name: 'Tool: Rename Git Tag'
 
-run-name: "${{ github.event.inputs.old_tag }} -> ${{ github.event.inputs.new_tag }}"
+run-name: "${{ inputs.old_tag }} -> ${{ inputs.new_tag }}"
 
 on:
   workflow_dispatch:
@@ -29,7 +29,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
-          ref: ${{ github.event.inputs.old_tag }}
+          ref: ${{ inputs.old_tag }}
           fetch-depth: 0
 
       - name: Check SHA
@@ -49,6 +49,6 @@ jobs:
             github.rest.git.createRef({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              ref: 'refs/tags/${{ github.event.inputs.new_tag }}',
+              ref: 'refs/tags/${{ inputs.new_tag }}',
               sha: '${{ steps.get-sha.outputs.BRANCH_SHA }}'
             })