NRL-1594 Avoid expanding variable in block

axelkrastek1-nhs · axelkrastek1-nhs · commit 70efcd1c09fd · 2025-09-19T13:10:11.000+01:00
diff --git a/.github/workflows/persistent-environment.yml b/.github/workflows/persistent-environment.yml
@@ -121,11 +121,13 @@ jobs:
             terraform -chdir=terraform/infrastructure workspace select ${inactive_stack}
 
       - name: Terraform Plan
+        env:
+          DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
         run: |
           inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
           terraform -chdir=terraform/infrastructure plan \
             --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
-            --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
+            --var assume_role_arn=${DEPLOY_ROLE_ARN} \
             --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${inactive_stack}) \
             -out tfplan
 
diff --git a/.github/workflows/pr-env-deploy.yml b/.github/workflows/pr-env-deploy.yml
@@ -150,10 +150,12 @@ jobs:
           terraform -chdir=terraform/infrastructure workspace select ${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Terraform Plan
+        env:
+          DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
         run: |
           terraform -chdir=terraform/infrastructure plan \
           --var-file=etc/dev.tfvars \
-          --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
+          --var assume_role_arn=${DEPLOY_ROLE_ARN} \
           --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ needs.set-environment-id.outputs.environment_id }}) \
           -out tfplan
 
@@ -286,6 +288,8 @@ jobs:
 
       - name: Configure Dev Account Credentials
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
+        env:
+          DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
         with:
           aws-region: eu-west-2
           role-chaining: true
diff --git a/.github/workflows/pr-env-destroy.yml b/.github/workflows/pr-env-destroy.yml
@@ -80,10 +80,12 @@ jobs:
         run: make build get-s3-perms
 
       - name: Terraform Destroy
+        env:
+          DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
         run: |
           terraform -chdir=terraform/infrastructure destroy \
             --var-file=etc/dev.tfvars \
-            --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
+            --var assume_role_arn=${DEPLOY_ROLE_ARN} \
             -auto-approve
 
       - name: Cleanup Terraform Workspace
diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml
@@ -193,10 +193,12 @@ jobs:
               terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
 
       - name: Terraform Plan
+        env:
+          DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
         run: |
           terraform -chdir=terraform/infrastructure plan \
               --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
-              --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
+              --var assume_role_arn=${DEPLOY_ROLE_ARN} \
               --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \
               --out tfplan
 
