[NDR-297] Manage Github role in Terraform (for Dev env)

.github/actions/tf-plan-apply/action.yml

@@ -0,0 +1,81 @@
+name: "Terraform Plan & Apply"
+description: "Run Terraform plan & Apply for a given component"
+
+inputs:
+  aws_assume_role:
+    description: "AWS IAM Role to assume"
+    required: true
+
+  aws_region:
+    description: "AWS Region to use"
+    required: true
+
+  terraform_version:
+    description: "Terraform version to use"
+    required: false
+    default: "1.13.3"
+
+  backend_conf:
+    description: "Terraform backend config file"
+    required: true
+
+  working_directory:
+    description: "Terraform working directory"
+    required: false
+    default: "./infrastructure"
+
+  workspace:
+    description: "Environment (ndr-dev, test, etc) or Sandbox name [a-z0-9]{1,8}"
+    required: true
+
+  tf_vars_file:
+    description: "Terraform variables file"
+    required: true
+
+  tf_extra_args:
+    description: "Additional Terraform arguments to pass in"
+    required: false
+    default: ""
+
+runs:
+  using: "composite"
+  steps:
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v5
+      with:
+        role-to-assume: ${{ inputs.aws_assume_role }}
+        role-skip-session-tagging: true
+        aws-region: ${{ inputs.aws_region }}
+        mask-aws-account-id: true
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: ${{ inputs.terraform_version }}
+        terraform_wrapper: false
+
+    - name: Initialise Terraform
+      run: terraform init -backend-config=${{ inputs.backend_conf }}
+      working-directory: ${{ inputs.working_directory }}
+      shell: bash
+
+    - name: Select Terraform Workspace
+      run: terraform workspace select -or-create ${{ inputs.workspace }}
+      working-directory: ${{ inputs.working_directory }}
+      shell: bash
+
+    - name: Check Terraform Formatting
+      run: terraform fmt -check
+      working-directory: ${{ inputs.working_directory }}
+      shell: bash
+
+    - name: Run Terraform Plan
+      run: |
+        terraform plan -input=false -no-color -var-file="${{ inputs.tf_vars_file }}" ${{ inputs.tf_extra_args }} -out tf.plan
+      working-directory: ${{ inputs.working_directory }}
+      shell: bash
+
+    - name: Run Terraform Apply
+      run: terraform apply -auto-approve -input=false tf.plan
+      working-directory: ${{ inputs.working_directory }}
+      shell: bash

.github/workflows/automated-deploy-dev.yml

@@ -13,11 +13,35 @@ permissions:
   actions: read   # This is required for Plan comment
   id-token: write # This is required for requesting the JWT
   contents: write # This is required for SBOM action
-    
+
 jobs:
+
+  # Terraform apply of pre-core will only occur on a push (merge request completion)
+  terraform_plan_apply_pre_core:
+    if: github.ref == 'refs/heads/main'
+    name: Terraform Plan/Apply (pre_core)
+    runs-on: ubuntu-latest
+    environment: development
+    steps:
+      - name: Checkout branch
+        uses: actions/checkout@v5
+
+      - name: Apply pre_core
+        uses: ./.github/actions/tf-plan-apply
+        with:
+          aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws_region: ${{ vars.AWS_REGION }}
+          backend_conf: "backend.conf"
+          working_directory: "./pre_core"  # Use separate pre_core directory
+          workspace: ${{ secrets.AWS_WORKSPACE }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}
+
+  # Will run when terraform_plan_apply_pre_core completes or is skipped
   terraform_plan_apply:
     name: Terraform Plan/Apply (ndr-dev)
     runs-on: ubuntu-latest
+    needs: terraform_plan_apply_pre_core
+    if: always() && (needs.terraform_plan_apply_pre_core.result == 'skipped' || needs.terraform_plan_apply_pre_core.result == 'success')
     environment: development
     steps:
       - name: Checkout
@@ -73,7 +97,7 @@ jobs:
               echo "::add-mask::$cert_block"
             fi
           done || echo "No certificate blocks found to mask."
-          
+
           # Mask sensitive URLs in the Terraform Plan output
           grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
             if [ -n "$api_url" ]; then
@@ -153,7 +177,7 @@ jobs:
 
             // 2. Prepare format of the comment
             const output = `### Report for environment: ndr-dev
-            
+
             #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
             <details><summary>Initialization Output</summary>
 
@@ -191,7 +215,7 @@ jobs:
                 body: output
               })
             }
-            
+
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,

.github/workflows/deploy-sandbox.yml

@@ -34,17 +34,52 @@ jobs:
         env:
           SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }}
 
+
+# APPLY PRE_CORE TF (FROM CHOSEN BRANCH)
+  terraform_plan_apply_pre_core:
+    name: Terraform Plan/Apply (pre_core)
+    runs-on: ubuntu-latest
+    needs: validate_inputs
+    environment: development
+    steps:
+      - name: Checkout branch
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.inputs.git_ref}}
+
+      - name: Apply pre_core
+        uses: ./.github/actions/tf-plan-apply
+        with:
+          aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws_region: ${{ vars.AWS_REGION }}
+          backend_conf: "backend.conf"
+          working_directory: "./pre_core"  # Use separate pre_core directory
+          workspace: ${{ github.event.inputs.sandbox_name }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}
+
+
+  # APPLY MAIN
   terraform_plan_apply_main:
     name: Terraform Plan/Apply (main)
     runs-on: ubuntu-latest
-    needs: validate_inputs
+    needs: terraform_plan_apply_pre_core
     environment: development
     steps:
       - name: Checkout main
         uses: actions/checkout@v5
         with:
           ref: main
 
+      # TODO: We can't use this on the main branch yet, until the action is merged to main!
+      # - name: Apply Main
+      #   uses: ./.github/actions/tf-plan-apply
+      #   with:
+      #     aws_assume_role: ${{ secrets.AWS_ASSUME_ROLE }}
+      #     aws_region: ${{ vars.AWS_REGION }}
+      #     backend_conf: "backend.conf"
+      #     workspace: ${{ github.event.inputs.sandbox_name }}
+      #     tf_vars_file: ${{ vars.TF_VARS_FILE }}
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v5
         with:
@@ -53,7 +88,6 @@ jobs:
           aws-region: ${{ vars.AWS_REGION }}
           mask-aws-account-id: true
 
-      # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
         with:
@@ -83,56 +117,26 @@ jobs:
         run: terraform apply -auto-approve -input=false tf-main.plan
         working-directory: ./infrastructure
 
+
+  # APPLY CHOSEN BRANCH
+  # USING THE NEWLY CREATED ROLE
   terraform_plan_apply_branch:
     name: Terraform Plan/Apply (branch)
     if: ${{ github.event.inputs.git_ref != 'main' }}
     runs-on: ubuntu-latest
     needs: terraform_plan_apply_main
     environment: development
     steps:
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
-          role-skip-session-tagging: true
-          aws-region: ${{ vars.AWS_REGION }}
-          mask-aws-account-id: true
-
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: 1.13.3
-          terraform_wrapper: false
-
       - name: Checkout Branch
         uses: actions/checkout@v5
         with:
           ref: ${{ github.event.inputs.git_ref}}
 
-        # Checks that all Terraform configuration files adhere to a canonical format.
-      - name: Check Terraform Formatting
-        run: terraform fmt -check
-        working-directory: ./infrastructure
-
-      - name: Initialise Terraform
-        id: init
-        run: terraform init -backend-config=backend.conf
-        working-directory: ./infrastructure
-        shell: bash
-
-      - name: Select Terraform Workspace
-        id: workspace
-        run: terraform workspace select ${{ github.event.inputs.sandbox_name}}
-        working-directory: ./infrastructure
-        shell: bash
-
-      - name: Run Terraform Plan
-        id: plan
-        run: |
-          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
-        working-directory: ./infrastructure
-        shell: bash
-
-      - name: Run Terraform Apply (branch over main)
-        run: terraform apply -auto-approve -input=false tf.plan
-        working-directory: ./infrastructure
+      - name: Apply Branch
+        uses: ./.github/actions/tf-plan-apply
+        with:
+          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role
+          aws_region: ${{ vars.AWS_REGION }}
+          backend_conf: "backend.conf"
+          workspace: ${{ github.event.inputs.sandbox_name }}
+          tf_vars_file: ${{ vars.TF_VARS_FILE }}

.github/workflows/deploy-test.yml

@@ -16,6 +16,10 @@ permissions:
   contents: read  # This is required for actions/checkout
 
 jobs:
+  # TODO: Add pre-core plan/apply
+  # TODO: Remember to pass in:-var=pre_prod_account_id=${{ secrets.PRE_PROD_AWS_ACCOUNT_ID }}
+  # TODO: Change existing apply to use new pre_core role
+
   terraform_plan_apply:
     name: Terraform Plan/Apply (ndr-test)
     runs-on: ubuntu-latest

.github/workflows/tear-down-sandbox.yml

@@ -77,15 +77,44 @@ jobs:
         with:
           ref: ${{ inputs.git_ref }}
 
-      - name: Setup Python 3.11
-        uses: actions/setup-python@v6
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
         with:
-          python-version: 3.11
+          # Use role created in pre_core
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role
+          aws-region: ${{ vars.AWS_REGION }}
+          mask-aws-account-id: true
 
-      - name: Install Python Dependencies
-        run: |
-          python3 -m venv ./venv
-          ./venv/bin/pip3 install --upgrade pip boto3
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.13.3
+
+      - name: Initialise Terraform
+        run: terraform init -backend-config=${{ vars.TF_BACKEND_FILE }}
+        working-directory: ./infrastructure
+
+      - name: Select Terraform Workspace
+        run: terraform workspace select ${{ inputs.sandbox_name }}
+        working-directory: ./infrastructure
+
+      - name: Run Terraform Destroy
+        run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}"
+        working-directory: ./infrastructure
+
+  terraform_destroy_pre_core:
+    name: Terraform Destroy (Pre-Core)
+    # Only destroy pre-core in development (sandbox) environment. Don't tear down in Test environment.
+    # TODO: TEST THAT BRANCH ISN'T NDR-DEV!
+    if: ${{ github.event.inputs.environment == 'development' }}
+    runs-on: ubuntu-latest
+    needs: [terraform_destroy]
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ inputs.git_ref }}
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v5
@@ -101,15 +130,43 @@ jobs:
 
       - name: Initialise Terraform
         run: terraform init -backend-config=${{ vars.TF_BACKEND_FILE }}
-        working-directory: ./infrastructure
+        working-directory: ./pre_core
 
       - name: Select Terraform Workspace
         run: terraform workspace select ${{ inputs.sandbox_name }}
-        working-directory: ./infrastructure
+        working-directory: ./pre_core
 
       - name: Run Terraform Destroy
         run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}"
-        working-directory: ./infrastructure
+        working-directory: ./pre_core
+
+  cleanup_resources:
+    name: Cleanup Resources
+    runs-on: ubuntu-latest
+    needs: [terraform_destroy_pre_core]
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ inputs.git_ref }}
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          aws-region: ${{ vars.AWS_REGION }}
+          mask-aws-account-id: true
+
+      - name: Setup Python 3.11
+        uses: actions/setup-python@v6
+        with:
+          python-version: 3.11
+
+      - name: Install Python Dependencies
+        run: |
+          python3 -m venv ./venv
+          ./venv/bin/pip3 install --upgrade pip boto3
 
       - name: Run Cleanup Script (Terraform Workspace)
         run: ./venv/bin/python3 -u scripts/cleanup_terraform_states.py ${{ inputs.sandbox_name }}