[NDR-352] Allow GitHub IAM role and permissions to be controlled by IaC (TEST env)

.github/workflows/cron-tear-down-test.yml

@@ -18,7 +18,7 @@ jobs:
       sandbox_name: ndr-test
       environment: test
     secrets:
-      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+      AWS_ASSUME_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role
 
   cleanup_versions:
     name: Cleanup Versions
@@ -28,7 +28,7 @@ jobs:
       sandbox_name: ndr-test
       environment: test
     secrets:
-      AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
+      AWS_ASSUME_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role
 
   terraform_destroy_process:
     name: Destroy Test Environment
@@ -48,11 +48,12 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v6
         with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role
           role-skip-session-tagging: true
           aws-region: ${{ vars.AWS_REGION }}
           mask-aws-account-id: true
 
+
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v4
         with:
@@ -100,3 +101,38 @@ jobs:
         id: destroy
         run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}"
         working-directory: ./infrastructure
+
+  terraform_destroy_base_iam:
+    name: Terraform Destroy base_iam
+    runs-on: ubuntu-latest
+    needs: [terraform_destroy_process]
+    environment: test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          ref: main
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/test-github-bootstrap
+          aws-region: ${{ vars.AWS_REGION }}
+          mask-aws-account-id: true
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.14.3
+
+      - name: Initialise Terraform
+        run: terraform init -backend-config=bucket=${{ secrets.AWS_WORKSPACE }}-terraform-state-${{ secrets.AWS_ACCOUNT_ID }}
+        working-directory: ./base_iam
+
+      - name: Select Terraform Workspace
+        run: terraform workspace select ${{ secrets.AWS_WORKSPACE }}
+        working-directory: ./base_iam
+
+      - name: Run Terraform Destroy
+        run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" -var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}
+        working-directory: ./base_iam

.github/workflows/deploy-test.yml

@@ -16,54 +16,46 @@ permissions:
   contents: read  # This is required for actions/checkout
 
 jobs:
-  terraform_plan_apply:
-    name: Terraform Plan/Apply (ndr-test)
+  terraform_plan_apply_base_iam:
+    name: Terraform Plan/Apply (base_iam)
     runs-on: ubuntu-latest
     environment: test
     steps:
-      - name: Checkout
+      - name: Checkout branch
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.inputs.git_ref}}
 
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v6
+      - name: Apply base_iam
+        uses: ./.github/actions/tf-plan-apply
         with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-          role-skip-session-tagging: true
-          aws-region: ${{ vars.AWS_REGION }}
-          mask-aws-account-id: true
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/test-github-bootstrap
+          bucket_prefix: "test"
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          working_directory: "./base_iam"  # Use separate base_iam directory
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}
+          tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}"
 
-      # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v4
+  terraform_plan_apply:
+    name: Terraform Plan/Apply (ndr-test)
+    runs-on: ubuntu-latest
+    needs: terraform_plan_apply_base_iam
+    environment: test
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v6
         with:
-          terraform_version: 1.14.6
-          terraform_wrapper: false
-
-      - name: Initialise Terraform
-        id: init
-        run: terraform init -backend-config=backend-test.conf
-        working-directory: ./infrastructure
-        shell: bash
-
-      - name: Select Terraform Workspace
-        id: workspace
-        run: terraform workspace select -or-create ${{ secrets.AWS_WORKSPACE }}
-        working-directory: ./infrastructure
-        shell: bash
-
-      - name: Check Terraform Formatting
-        run: terraform fmt -check
-        working-directory: ./infrastructure
-
-      - name: Run Terraform Plan
-        id: plan
-        run: |
-          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
-        working-directory: ./infrastructure
-        shell: bash
+          ref: ${{ github.event.inputs.git_ref}}
 
-      - name: Run Terraform Apply
-        run: terraform apply -auto-approve -input=false tf.plan
-        working-directory: ./infrastructure
+      - name: Apply Main
+        uses: ./.github/actions/tf-plan-apply
+        with:
+          # use newly created role
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role
+          bucket_prefix: "test"
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_region: ${{ vars.AWS_REGION }}
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}