|
| 1 | +# Manual IAM deployment for emergency or ad-hoc use. |
| 2 | +# Normal IAM deployments happen automatically as part of cicd-2-publish and base-deploy. |
1 | 3 | name: "IAM Bootstrap | Deploy IAM Roles" |
2 | 4 |
|
3 | 5 | on: |
4 | | - push: |
5 | | - branches: |
6 | | - - main |
7 | | - paths: |
8 | | - - "infrastructure/stacks/iams-developer-roles/**" |
9 | 6 | workflow_dispatch: |
10 | 7 | inputs: |
11 | 8 | environment: |
12 | | - description: "Environment to deploy (leave blank for all)" |
13 | | - required: false |
| 9 | + description: "Environment to deploy" |
| 10 | + required: true |
14 | 11 | type: choice |
15 | 12 | options: |
16 | | - - all |
17 | 13 | - dev |
18 | 14 | - test |
19 | 15 | - preprod |
20 | 16 | - prod |
21 | | - workflow_call: |
22 | | - inputs: |
23 | | - environment: |
24 | | - description: "Environment to deploy" |
25 | | - required: false |
26 | | - type: string |
27 | | - default: "all" |
28 | 17 |
|
29 | 18 | concurrency: |
30 | | - group: iam-bootstrap-deploy |
| 19 | + group: iam-bootstrap-${{ inputs.environment }} |
31 | 20 | cancel-in-progress: false |
32 | 21 |
|
33 | 22 | permissions: |
34 | 23 | contents: read |
35 | 24 | id-token: write |
36 | 25 |
|
37 | 26 | jobs: |
38 | | - metadata: |
39 | | - name: "Resolve CI/CD metadata" |
| 27 | + deploy: |
| 28 | + name: "Deploy IAM roles → ${{ inputs.environment }}" |
40 | 29 | runs-on: ubuntu-latest |
41 | | - timeout-minutes: 2 |
42 | | - outputs: |
43 | | - terraform_version: ${{ steps.vars.outputs.terraform_version }} |
44 | | - target_env: ${{ steps.vars.outputs.target_env }} |
| 30 | + timeout-minutes: 15 |
| 31 | + environment: ${{ inputs.environment }} |
45 | 32 | steps: |
46 | 33 | - name: "Checkout code" |
47 | 34 | uses: actions/checkout@v6 |
48 | 35 |
|
49 | | - - name: "Set variables" |
| 36 | + - name: "Resolve Terraform version" |
50 | 37 | id: vars |
51 | 38 | run: | |
52 | 39 | echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT |
53 | 40 |
|
54 | | - # Determine which environment(s) to deploy |
55 | | - INPUT_ENV="${{ inputs.environment || 'all' }}" |
56 | | - echo "target_env=$INPUT_ENV" >> $GITHUB_OUTPUT |
57 | | - echo "Target environment: $INPUT_ENV" |
58 | | -
|
59 | | - deploy-dev: |
60 | | - name: "Deploy IAM roles → dev" |
61 | | - needs: metadata |
62 | | - if: >- |
63 | | - needs.metadata.outputs.target_env == 'all' || |
64 | | - needs.metadata.outputs.target_env == 'dev' |
65 | | - runs-on: ubuntu-latest |
66 | | - timeout-minutes: 15 |
67 | | - environment: dev |
68 | | - steps: |
69 | | - - name: "Checkout code" |
70 | | - uses: actions/checkout@v6 |
71 | | - |
72 | | - - name: "Setup Terraform" |
73 | | - uses: hashicorp/setup-terraform@v3 |
74 | | - with: |
75 | | - terraform_version: ${{ needs.metadata.outputs.terraform_version }} |
76 | | - |
77 | | - - name: "Configure AWS Credentials (IAM Bootstrap Role)" |
78 | | - uses: aws-actions/configure-aws-credentials@v6 |
79 | | - with: |
80 | | - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-iam-bootstrap-role |
81 | | - aws-region: eu-west-2 |
82 | | - |
83 | | - - name: "Terraform Init" |
84 | | - working-directory: ./infrastructure |
85 | | - run: | |
86 | | - make terraform-init env=dev stack=iams-developer-roles |
87 | | -
|
88 | | - - name: "Terraform Plan" |
89 | | - working-directory: ./infrastructure/stacks/iams-developer-roles |
90 | | - run: | |
91 | | - terraform plan -var="environment=dev" -out=tfplan |
92 | | - echo "### Dev IAM Plan" >> $GITHUB_STEP_SUMMARY |
93 | | - echo '```' >> $GITHUB_STEP_SUMMARY |
94 | | - terraform show -no-color tfplan >> $GITHUB_STEP_SUMMARY |
95 | | - echo '```' >> $GITHUB_STEP_SUMMARY |
96 | | -
|
97 | | - - name: "Terraform Apply" |
98 | | - working-directory: ./infrastructure/stacks/iams-developer-roles |
99 | | - run: terraform apply -auto-approve tfplan |
100 | | - |
101 | | - deploy-test: |
102 | | - name: "Deploy IAM roles → test (approval required)" |
103 | | - needs: [metadata, deploy-dev] |
104 | | - if: >- |
105 | | - always() && |
106 | | - (needs.deploy-dev.result == 'success' || needs.deploy-dev.result == 'skipped') && |
107 | | - ( |
108 | | - needs.metadata.outputs.target_env == 'all' || |
109 | | - needs.metadata.outputs.target_env == 'test' |
110 | | - ) |
111 | | - runs-on: ubuntu-latest |
112 | | - timeout-minutes: 15 |
113 | | - environment: test |
114 | | - steps: |
115 | | - - name: "Checkout code" |
116 | | - uses: actions/checkout@v6 |
117 | | - |
118 | 41 | - name: "Setup Terraform" |
119 | 42 | uses: hashicorp/setup-terraform@v3 |
120 | 43 | with: |
121 | | - terraform_version: ${{ needs.metadata.outputs.terraform_version }} |
| 44 | + terraform_version: ${{ steps.vars.outputs.terraform_version }} |
122 | 45 |
|
123 | 46 | - name: "Configure AWS Credentials (IAM Bootstrap Role)" |
124 | 47 | uses: aws-actions/configure-aws-credentials@v6 |
125 | 48 | with: |
126 | 49 | role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-iam-bootstrap-role |
127 | 50 | aws-region: eu-west-2 |
128 | 51 |
|
129 | | - - name: "Terraform Init" |
130 | | - working-directory: ./infrastructure |
131 | | - run: | |
132 | | - make terraform-init env=test stack=iams-developer-roles |
133 | | -
|
134 | 52 | - name: "Terraform Plan" |
135 | | - working-directory: ./infrastructure/stacks/iams-developer-roles |
136 | | - run: | |
137 | | - terraform plan -var="environment=test" -out=tfplan |
138 | | - echo "### Test IAM Plan" >> $GITHUB_STEP_SUMMARY |
139 | | - echo '```' >> $GITHUB_STEP_SUMMARY |
140 | | - terraform show -no-color tfplan >> $GITHUB_STEP_SUMMARY |
141 | | - echo '```' >> $GITHUB_STEP_SUMMARY |
142 | | -
|
143 | | - - name: "Terraform Apply" |
144 | | - working-directory: ./infrastructure/stacks/iams-developer-roles |
145 | | - run: terraform apply -auto-approve tfplan |
146 | | - |
147 | | - deploy-preprod: |
148 | | - name: "Deploy IAM roles → preprod (approval required)" |
149 | | - needs: [metadata, deploy-test] |
150 | | - if: >- |
151 | | - always() && |
152 | | - (needs.deploy-test.result == 'success' || needs.deploy-test.result == 'skipped') && |
153 | | - ( |
154 | | - needs.metadata.outputs.target_env == 'all' || |
155 | | - needs.metadata.outputs.target_env == 'preprod' |
156 | | - ) |
157 | | - runs-on: ubuntu-latest |
158 | | - timeout-minutes: 15 |
159 | | - environment: preprod |
160 | | - steps: |
161 | | - - name: "Checkout code" |
162 | | - uses: actions/checkout@v6 |
163 | | - |
164 | | - - name: "Setup Terraform" |
165 | | - uses: hashicorp/setup-terraform@v3 |
166 | | - with: |
167 | | - terraform_version: ${{ needs.metadata.outputs.terraform_version }} |
168 | | - |
169 | | - - name: "Configure AWS Credentials (IAM Bootstrap Role)" |
170 | | - uses: aws-actions/configure-aws-credentials@v6 |
171 | | - with: |
172 | | - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-iam-bootstrap-role |
173 | | - aws-region: eu-west-2 |
174 | | - |
175 | | - - name: "Terraform Init" |
176 | 53 | working-directory: ./infrastructure |
177 | 54 | run: | |
178 | | - make terraform-init env=preprod stack=iams-developer-roles |
179 | | -
|
180 | | - - name: "Terraform Plan" |
181 | | - working-directory: ./infrastructure/stacks/iams-developer-roles |
182 | | - run: | |
183 | | - terraform plan -var="environment=preprod" -out=tfplan |
184 | | - echo "### Preprod IAM Plan" >> $GITHUB_STEP_SUMMARY |
185 | | - echo '```' >> $GITHUB_STEP_SUMMARY |
186 | | - terraform show -no-color tfplan >> $GITHUB_STEP_SUMMARY |
187 | | - echo '```' >> $GITHUB_STEP_SUMMARY |
| 55 | + make terraform env=${{ inputs.environment }} stack=iams-developer-roles tf-command=plan workspace=default |
188 | 56 |
|
189 | 57 | - name: "Terraform Apply" |
190 | | - working-directory: ./infrastructure/stacks/iams-developer-roles |
191 | | - run: terraform apply -auto-approve tfplan |
192 | | - |
193 | | - deploy-prod: |
194 | | - name: "Deploy IAM roles → prod (approval required)" |
195 | | - needs: [metadata, deploy-preprod] |
196 | | - if: >- |
197 | | - always() && |
198 | | - (needs.deploy-preprod.result == 'success' || needs.deploy-preprod.result == 'skipped') && |
199 | | - ( |
200 | | - needs.metadata.outputs.target_env == 'all' || |
201 | | - needs.metadata.outputs.target_env == 'prod' |
202 | | - ) |
203 | | - runs-on: ubuntu-latest |
204 | | - timeout-minutes: 15 |
205 | | - environment: prod |
206 | | - steps: |
207 | | - - name: "Checkout code" |
208 | | - uses: actions/checkout@v6 |
209 | | - |
210 | | - - name: "Setup Terraform" |
211 | | - uses: hashicorp/setup-terraform@v3 |
212 | | - with: |
213 | | - terraform_version: ${{ needs.metadata.outputs.terraform_version }} |
214 | | - |
215 | | - - name: "Configure AWS Credentials (IAM Bootstrap Role)" |
216 | | - uses: aws-actions/configure-aws-credentials@v6 |
217 | | - with: |
218 | | - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-iam-bootstrap-role |
219 | | - aws-region: eu-west-2 |
220 | | - |
221 | | - - name: "Terraform Init" |
222 | 58 | working-directory: ./infrastructure |
223 | 59 | run: | |
224 | | - make terraform-init env=prod stack=iams-developer-roles |
225 | | -
|
226 | | - - name: "Terraform Plan" |
227 | | - working-directory: ./infrastructure/stacks/iams-developer-roles |
228 | | - run: | |
229 | | - terraform plan -var="environment=prod" -out=tfplan |
230 | | - echo "### Prod IAM Plan" >> $GITHUB_STEP_SUMMARY |
231 | | - echo '```' >> $GITHUB_STEP_SUMMARY |
232 | | - terraform show -no-color tfplan >> $GITHUB_STEP_SUMMARY |
233 | | - echo '```' >> $GITHUB_STEP_SUMMARY |
234 | | -
|
235 | | - - name: "Terraform Apply" |
236 | | - working-directory: ./infrastructure/stacks/iams-developer-roles |
237 | | - run: terraform apply -auto-approve tfplan |
| 60 | + make terraform env=${{ inputs.environment }} stack=iams-developer-roles tf-command=apply workspace=default |
0 commit comments