VED-1223: Update permissions to auto-ops role so the pipeline can apply terraform changes at account level#1384
Open
Thomas-Boyle wants to merge 28 commits intomasterfrom
Conversation
…D pipelines - Introduced a new GitHub Actions workflow for managing account-level Terraform operations, including planning, manual approval, and applying changes. - Updated `continuous-deployment.yml` and `pr-deploy-and-test.yml` to utilize the new account-terraform workflow, ensuring infrastructure changes are detected and processed. - Enhanced Makefile with new targets for CI-specific Terraform commands. - Added a script to resolve the Terraform state bucket dynamically based on the configured environment. - Updated IAM policy to include permissions for AWS Shield operations.
Contributor
|
This branch is working on a ticket in the NHS England VED JIRA Project. Here's a handy link to the ticket: VED-1223 |
…script - Introduced a new function in the Makefile to ensure the BUCKET_NAME variable is set before executing Terraform commands. - Updated the bucket resolution script to trim whitespace from the CONFIGURED_ACCOUNT_TERRAFORM_STATE_BUCKET variable, enhancing reliability in detecting the configured bucket.
…orkflow - Added validation to ensure the resolved bucket name is not empty, improving error handling in the GitHub Actions workflow. - Updated the script execution to store the bucket name in a variable before outputting, enhancing clarity and maintainability.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…olution script - Introduced a new optional input `state_bucket_environment` in the `account-terraform.yml` workflow to allow dynamic configuration. - Updated `continuous-deployment.yml` and `pr-deploy-and-test.yml` workflows to set the `state_bucket_environment` for internal development. - Enhanced the bucket resolution script to utilize the `ACCOUNT_TERRAFORM_STATE_ENVIRONMENT` variable for improved bucket naming based on the environment.
Thomas-Boyle
temporarily deployed
to
account-level-infra-approval
GitHub Actions
Inactive
Thomas-Boyle
changed the title
…on script - Added `ACCOUNT_TERRAFORM_WORKSPACE` input to the `account-terraform.yml` workflow for improved workspace management. - Updated the bucket resolution script to validate the `ACCOUNT_TERRAFORM_WORKSPACE` variable and incorporate it into the state key for better bucket identification. - Enhanced error handling to ensure the workspace is set before proceeding with bucket resolution.
Thomas-Boyle
temporarily deployed
to
account-level-infra-approval
GitHub Actions
Inactive
- Added a new function to the bucket resolution script to check if the bucket matches the account state, improving accuracy in identifying the correct bucket. - Updated the workflow to log the resolved bucket name, enhancing visibility during execution and debugging.
- Updated the `resolve_account_terraform_state_bucket.sh` script to print the formatted bucket name based on the `state_bucket_environment` variable. - Removed the previous logic for adding candidate buckets, simplifying the script's flow when the environment variable is set.
Thomas-Boyle
temporarily deployed
to
account-level-infra-approval
GitHub Actions
Inactive
avshetty1980
reviewed
Apr 7, 2026
…error messaging - Simplified the script by introducing a `trim` function to handle whitespace for the `CONFIGURED_ACCOUNT_TERRAFORM_STATE_BUCKET` and `ACCOUNT_TERRAFORM_STATE_ENVIRONMENT` variables. - Enhanced error handling to ensure the `ACCOUNT_TERRAFORM_STATE_ENVIRONMENT` variable is set when the configured bucket is not provided, improving clarity in user feedback.
Thomas-Boyle
temporarily deployed
to
account-level-infra-approval
GitHub Actions
Inactive
Thomas-Boyle
temporarily deployed
to
account-level-infra-approval
GitHub Actions
Inactive
Thomas-Boyle
had a problem deploying
to
internal-dev-sandbox
GitHub Actions
Failure
Thomas-Boyle
had a problem deploying
to
internal-dev
GitHub Actions
Failure
Thomas-Boyle
had a problem deploying
to
internal-dev
GitHub Actions
Failure
Thomas-Boyle
had a problem deploying
to
internal-dev-sandbox
GitHub Actions
Failure
Thomas-Boyle
had a problem deploying
to
internal-dev-sandbox
GitHub Actions
Failure
…enhanced validation and clarity - Consolidated SHA validation logic in the account-terraform workflow to improve efficiency and readability. - Streamlined change detection output by directly capturing the status of account infrastructure changes. - Simplified the bucket resolution script by removing unnecessary functions and utilizing direct variable assignment for improved clarity.
…peline-permissions
…handling for pull requests. Removed conditional check for 'synchronize' action to ensure consistent base SHA retrieval.
…ore apply phase - Introduced a new job for manual approval after the plan phase, ensuring that changes are reviewed before application. - Updated the apply job to depend on the approval step, enhancing control over the deployment process.
…ifact naming - Updated workflow name for clarity. - Added support for manual input parameters including environment selection and optional artifact naming. - Improved handling of SHA values for better consistency in deployment processes. - Streamlined artifact name generation to ensure clarity and avoid potential conflicts.
…peline-permissions
avshetty1980
reviewed
Apr 9, 2026
avshetty1980
reviewed
Apr 9, 2026
avshetty1980
reviewed
Apr 9, 2026
avshetty1980
reviewed
Apr 9, 2026
avshetty1980
reviewed
Apr 9, 2026
avshetty1980
reviewed
Apr 9, 2026
avshetty1980
reviewed
Apr 9, 2026
avshetty1980
requested changes
Apr 9, 2026
Contributor
avshetty1980
left a comment
avshetty1980
left a comment
There was a problem hiding this comment.
just a few comments and nits
… and clarity - Added ACCOUNT_TERRAFORM_VERSION environment variable for consistent Terraform versioning. - Increased job timeout to 30 minutes for both planning and applying stages. - Updated role-session-name format for better traceability in AWS actions. - Modified Makefile to streamline Terraform apply command. - Added validation for ACCOUNT_TERRAFORM_STATE_ENVIRONMENT in the state bucket resolution script to enforce correct environment values.
- Added permissions for attestations and artifact metadata in the workflow. - Introduced steps for attesting the Terraform plan and verifying the attestation. - Improved overall security and traceability of the Terraform deployment process.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
continuous-deployment.ymlandpr-deploy-and-test.ymlto utilize the new account-terraform workflow, ensuring infrastructure account changes are detected and processed.