From 6b8ec4401a7843d25646fc4a891c882e9746740b Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Tue, 28 Apr 2026 11:42:05 +0100 Subject: [PATCH 1/2] chore: assume oidc role once --- .github/actions/just/README.md | 47 +++++++++-- .github/actions/just/action.yml | 14 +--- .github/actions/terragrunt/README.md | 55 ++++++++++--- .github/actions/terragrunt/action.yml | 16 +--- .github/docs/README.md | 11 +-- .github/workflows/destroy.yml | 79 ++++++++++++++++--- .github/workflows/shared_build.yml | 31 ++++++-- .github/workflows/shared_build_get.yml | 34 ++++++-- .github/workflows/shared_deploy.yml | 49 ++++++++---- .github/workflows/shared_infra.yml | 69 +++++++++++++--- .../shared_infra_apply_from_plan.yml | 8 +- .github/workflows/shared_infra_plan.yml | 7 +- .github/workflows/shared_infra_releases.yml | 14 +++- 13 files changed, 327 insertions(+), 107 deletions(-) diff --git a/.github/actions/just/README.md b/.github/actions/just/README.md index 00def06d..9c54fa19 100644 --- a/.github/actions/just/README.md +++ b/.github/actions/just/README.md @@ -1,13 +1,13 @@ -# Execute Just Command with AWS OIDC +# Execute Just Command -This GitHub Action sets up [`just`](https://github.com/casey/just), authenticates to AWS via OIDC, and runs a specified **just recipe** — useful for clean, repeatable, script-based workflows in infrastructure, DevOps, and CI/CD pipelines. +This GitHub Action sets up [`just`](https://github.com/casey/just) and runs a specified **just recipe**. When the recipe needs AWS, the workflow job should configure credentials first. --- ## 🚀 Features - Installs a specific version of [`just`](https://github.com/casey/just) -- Configures AWS credentials using GitHub OIDC +- Uses AWS credentials already configured earlier in the same job when needed - Executes any `just` command (recipe) - Captures and returns the final line of output as an action output @@ -19,7 +19,6 @@ This GitHub Action sets up [`just`](https://github.com/casey/just), authenticate |--------------------|--------------------------------------------------|----------|--------------| | `just_version` | Version of `just` to install | ❌ | `1.49.0` | | `aws_region` | AWS region | ❌ | `eu-west-2` | -| `aws_oidc_role_arn`| ARN of the IAM role to assume via OIDC (optional when AWS credentials are already configured in the job) | ❌ | `""` | | `just_action` | The `just` recipe to execute | ✅ | — | | `mask_result` | Use to mask value in CI | ❌ | `false` | @@ -35,6 +34,32 @@ This GitHub Action sets up [`just`](https://github.com/casey/just), authenticate ## 🛠 Example Usage +### Reuse AWS credentials already configured in the job + +```yaml +jobs: + run-just: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + + steps: + - uses: actions/checkout@v4 + + - name: Configure AWS credentials once + uses: aws-actions/configure-aws-credentials@v6 + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + + - name: Run just with ambient AWS session + uses: ./.github/actions/just + with: + justfile_path: justfile.ci + just_action: some-aws-recipe +``` + ```just lambda-get-version: #!/usr/bin/env bash @@ -54,6 +79,12 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Configure AWS credentials once + uses: aws-actions/configure-aws-credentials@v6 + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + - name: get lambda version id: lambda-get-version uses: ./.github/actions/just @@ -61,7 +92,6 @@ jobs: FUNCTION_NAME: dev-lambda-function ALIAS_NAME: dev with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} just_action: lambda-get-version - name: read output from script @@ -88,11 +118,16 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Configure AWS credentials once + uses: aws-actions/configure-aws-credentials@v6 + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + - name: get secret id: get-secret uses: ./.github/actions/just with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} just_action: get-secret - name: read output from script diff --git a/.github/actions/just/action.yml b/.github/actions/just/action.yml index 8d346416..4a960b30 100644 --- a/.github/actions/just/action.yml +++ b/.github/actions/just/action.yml @@ -1,5 +1,5 @@ -name: "Execute Just command with AWS OIDC" -description: "Sets up Just, configures AWS OIDC authentication and runs just action" +name: "Execute Just command" +description: "Sets up Just and runs a just action using AWS credentials already configured in the job when needed" inputs: just_version: @@ -9,9 +9,6 @@ inputs: aws_region: description: "AWS Region" default: "eu-west-2" - aws_oidc_role_arn: - description: "AWS iam role arn" - default: "" just_action: description: "Just command (recipe) to execute" required: true @@ -37,13 +34,6 @@ runs: with: just-version: ${{ inputs.just_version }} - - name: Configure AWS OIDC Authentication - if: ${{ inputs.aws_oidc_role_arn != '' }} - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: ${{ inputs.aws_oidc_role_arn }} - aws-region: ${{ inputs.aws_region }} - - name: Run just action (try/catch + capture) id: capture if: ${{ inputs.mask_result == 'false' }} diff --git a/.github/actions/terragrunt/README.md b/.github/actions/terragrunt/README.md index 18a30da5..9bb93d02 100644 --- a/.github/actions/terragrunt/README.md +++ b/.github/actions/terragrunt/README.md @@ -1,15 +1,15 @@ -# Execute Terraform & Terragrunt with AWS OIDC +# Execute Terraform & Terragrunt -This GitHub Action sets up **Terraform** and **Terragrunt**, authenticates to AWS via **OIDC**, and runs a specified `terragrunt` action: `apply`, `plan`, `apply_plan`, `destroy`, or `init`. +This GitHub Action sets up **Terraform** and **Terragrunt** and runs a specified `terragrunt` action: `apply`, `plan`, `apply_plan`, `destroy`, or `init`. When the action needs AWS, the workflow job should configure credentials first. ## Features - Installs pinned versions of Terraform and Terragrunt -- Authenticates to AWS using OIDC only when the selected action actually needs AWS access +- Uses AWS credentials already configured earlier in the same job when needed - Optionally passes Terragrunt variables via JSON tfvars - Supports `plan` mode for producing local saved plan files - Supports `init` mode for outputs-only reads -- Uses the repo-local `./.github/actions/just` action with OIDC for saved plan artifact upload and download +- Uses the repo-local `./.github/actions/just` action for saved plan artifact upload and download - Exports Terragrunt outputs as compact JSON when state exists ## Inputs @@ -20,7 +20,6 @@ This GitHub Action sets up **Terraform** and **Terragrunt**, authenticates to AW | `tg_version` | Version of Terragrunt to install | No | `0.72.6` | | `aws_region` | AWS region to use | No | `eu-west-2` | | `override_tg_vars` | Terragrunt variables in JSON, written to `override_tg_vars.tfvars.json` | No | `{}` | -| `aws_oidc_role_arn` | IAM role ARN to assume via OIDC | Yes | — | | `tg_directory` | Directory containing the Terragrunt config | Yes | — | | `tg_action` | Terragrunt action: `apply`, `plan`, `apply_plan`, `destroy`, or `init` | Yes | `apply` | @@ -36,7 +35,7 @@ This GitHub Action sets up **Terraform** and **Terragrunt**, authenticates to AW - `apply` Runs `terragrunt apply -auto-approve` - `plan` - Runs `terragrunt plan -detailed-exitcode -out=/terragrunt.tfplan`, then renders `terragrunt.plan.txt` and writes `terragrunt.plan.meta.json` via the repo `justfile.tg` recipe `terragrunt-plan-render`. It then uploads those files to S3 through the repo-local `./.github/actions/just` action using the same OIDC role. + Runs `terragrunt plan -detailed-exitcode -out=/terragrunt.tfplan`, then renders `terragrunt.plan.txt` and writes `terragrunt.plan.meta.json` via the repo `justfile.tg` recipe `terragrunt-plan-render`. It then uploads those files to S3 through the repo-local `./.github/actions/just` action using the AWS credentials already configured in the job. - `apply_plan` Downloads the saved plan files into `tg_directory` via the repo-local `./.github/actions/just` action and `justfile.tg`, using the caller-provided `PLAN_ARTIFACT_S3_PREFIX` environment variable plus the stack-derived suffix from `tg_directory`. It then fails if the binary plan file or `terragrunt.plan.meta.json` is missing, reads `has_changes` from the saved metadata file, and skips apply with a GitHub Actions warning when the saved plan contains no mutating resource changes. Otherwise it runs `terragrunt apply` against the absolute stack-path plan file. - `destroy` @@ -53,8 +52,37 @@ This GitHub Action sets up **Terraform** and **Terragrunt**, authenticates to AW - `/terragrunt-plan-/terragrunt.plan.txt` - `/terragrunt-plan-/terragrunt.plan.meta.json` +## AWS Credentials + +Configure AWS credentials in the workflow job before calling this action. The action then reuses those ambient credentials for Terragrunt itself and for any saved-plan upload or download steps. + ## Usage +### Reuse AWS credentials already configured in the job + +```yaml +jobs: + deploy: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + steps: + - uses: actions/checkout@v4 + + - name: Configure AWS credentials once + uses: aws-actions/configure-aws-credentials@v6 + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + + - name: Reuse ambient session in Terragrunt + uses: ./.github/actions/terragrunt + with: + tg_directory: infra/live/dev/aws/network + tg_action: init +``` + ### Minimal Apply ```yaml @@ -72,7 +100,6 @@ jobs: uses: your-org/your-action-repo@main with: aws_region: ${{ vars.AWS_REGION }} - aws_oidc_role_arn: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-dev-github-oidc-role tg_directory: infra/live/dev/aws/network tg_action: apply override_tg_vars: '{"env":"dev","region":"eu-west-2"}' @@ -94,11 +121,16 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Configure AWS credentials once + uses: aws-actions/configure-aws-credentials@v6 + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-dev-github-oidc-role + - name: Plan infrastructure uses: your-org/your-action-repo@main with: aws_region: ${{ vars.AWS_REGION }} - aws_oidc_role_arn: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-dev-github-oidc-role tg_directory: infra/live/dev/aws/network tg_action: plan ``` @@ -115,11 +147,16 @@ jobs: steps: - uses: actions/checkout@v4 + - name: Configure AWS credentials once + uses: aws-actions/configure-aws-credentials@v6 + with: + aws-region: ${{ vars.AWS_REGION }} + role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-dev-github-oidc-role + - name: Apply infrastructure from uploaded plan uses: your-org/your-action-repo@main with: aws_region: ${{ vars.AWS_REGION }} - aws_oidc_role_arn: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-dev-github-oidc-role tg_directory: infra/live/dev/aws/network tg_action: apply_plan ``` diff --git a/.github/actions/terragrunt/action.yml b/.github/actions/terragrunt/action.yml index 3c4b23d3..a4929c2f 100644 --- a/.github/actions/terragrunt/action.yml +++ b/.github/actions/terragrunt/action.yml @@ -1,5 +1,5 @@ -name: "Execute Terraform & Terragrunt with AWS OIDC" -description: "Sets up Terraform, Terragrunt, configures AWS OIDC authentication and runs terragrunt action" +name: "Execute Terraform & Terragrunt" +description: "Sets up Terraform and Terragrunt and runs a terragrunt action using AWS credentials already configured in the job when needed" inputs: tf_version: @@ -17,9 +17,6 @@ inputs: description: "Override or additional Terragrunt variables in JSON format" required: false default: "{}" - aws_oidc_role_arn: - description: "AWS iam role arn" - required: true tg_directory: description: "Module directory to perform action upon" required: true @@ -61,7 +58,6 @@ runs: env: TG_DIRECTORY: ${{ inputs.tg_directory }} with: - aws_oidc_role_arn: ${{ inputs.aws_oidc_role_arn }} aws_region: ${{ inputs.aws_region }} justfile_path: justfile.tg just_action: terragrunt-plan-download @@ -95,13 +91,6 @@ runs: echo "should_apply=true" >> "$GITHUB_OUTPUT" fi - - name: Configure AWS OIDC Authentication - if: inputs.tg_action != 'apply_plan' || steps.apply_plan_guard.outputs.should_apply == 'true' - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: ${{ inputs.aws_oidc_role_arn }} - aws-region: ${{ inputs.aws_region }} - - name: Action Terragrunt if: inputs.tg_action != 'apply_plan' || steps.apply_plan_guard.outputs.should_apply == 'true' id: terragrunt_action @@ -163,7 +152,6 @@ runs: env: TG_DIRECTORY: ${{ inputs.tg_directory }} with: - aws_oidc_role_arn: ${{ inputs.aws_oidc_role_arn }} aws_region: ${{ inputs.aws_region }} justfile_path: justfile.tg just_action: terragrunt-plan-upload diff --git a/.github/docs/README.md b/.github/docs/README.md index a16b0fef..dcdb7504 100644 --- a/.github/docs/README.md +++ b/.github/docs/README.md @@ -66,11 +66,11 @@ flowchart LR ### Shared Artifact Prep And Build - `shared_infra_releases.yml` - Prepares or reads shared artifact infrastructure such as ECR and the code bucket, and exposes those bucket/repository values as reusable-workflow outputs. The code-bucket job reads the Lambda, frontend, AppSpec, and infra-plan S3 prefix names from string-returning `justfile.ci` recipes and forwards them as `TF_VAR_*`, so the workflow does not duplicate those key names inline. + Prepares or reads shared artifact infrastructure such as ECR and the code bucket, and exposes those bucket/repository values as reusable-workflow outputs. The `ecr` job now configures AWS credentials once at the top of the job and lets later local actions reuse that ambient session, while simpler one-step jobs can still let the repo-local composite actions own authentication directly. The code-bucket job reads the Lambda, frontend, AppSpec, and infra-plan S3 prefix names from string-returning `justfile.ci` recipes and forwards them as `TF_VAR_*`, so the workflow does not duplicate those key names inline. - `shared_build.yml` Builds and publishes frontend, Lambda, and ECS artifacts. - `shared_build_get.yml` - Resolves artifact locations and derives matrices used by downstream deploy wrappers. + Resolves artifact locations and derives matrices used by downstream deploy wrappers. Its multi-step `images` and `lambdas` jobs configure AWS credentials once and then reuse that ambient session across repeated `just` calls against the same account. ```mermaid flowchart LR @@ -86,12 +86,12 @@ flowchart LR - `shared_infra_apply.yml` Direct-input apply wrapper around `shared_infra.yml`. It takes resolved workflow inputs directly and calls `shared_infra.yml` with `tg_action: apply`. - `shared_infra_apply_from_plan.yml` - Apply-from-plan wrapper around `shared_infra.yml`. It takes `plan_artifact_run_id`, resolves the same artifact bucket split used by release artifacts (`dev` stays on `dev`, non-`dev` uses `ci`) inside its `metadata` job, derives the matching plan-artifact S3 prefix via `justfile.tg`, downloads `infra-plan-metadata` from that location via `justfile.ci`, reads the frozen graph inputs back out, and then calls `shared_infra.yml` with `tg_action: apply_plan` plus that same resolved prefix. + Apply-from-plan wrapper around `shared_infra.yml`. It takes `plan_artifact_run_id`, resolves the same artifact bucket split used by release artifacts (`dev` stays on `dev`, non-`dev` uses `ci`) inside its `metadata` job, configures artifact-account AWS credentials once for that job, derives the matching plan-artifact S3 prefix via `justfile.tg`, downloads `infra-plan-metadata` from that location via `justfile.ci`, reads the frozen graph inputs back out, and then calls `shared_infra.yml` with `tg_action: apply_plan` plus that same resolved prefix. - `shared_infra.yml` - Pure ordered infra graph executor. It applies shared stacks first, then runtime stacks, then frontend infrastructure. Shared stacks now include the CloudWatch observability dashboard. It accepts `tg_action` so the same graph can run a normal apply, upload derived per-stack plan artifacts to the resolved code bucket under `terragrunt_plan/`, or apply from previously uploaded plan artifacts. The wrapper workflows resolve one `plan_artifact_s3_prefix` and set it in the workflow env once; the Terragrunt action reads that env directly and appends the stack-specific suffix from `tg_directory`, so `shared_infra.yml` does not need to rebuild the bucket or env/run-id tuple in every job. That means each infra run has one shared `plan-metadata.json` file for the whole graph and one separate saved plan bundle per Terragrunt stack or module. In `apply_plan` mode, each stack job first downloads its own saved plan files via `justfile.tg` through the Terragrunt action, then the Terragrunt action validates and applies those local files. Its visible step labels now follow the high-level operation, so both direct apply and apply-from-plan render as `Apply` while plan still renders as `Plan`. The `security -> network` edge is a real bootstrap dependency because `network` reads security outputs like `vpc_endpoint_sg` from remote state; if those outputs do not exist yet, `network` fails with an upstream `Unsupported attribute` error rather than a networking-specific error. + Pure ordered infra graph executor. It applies shared stacks first, then runtime stacks, then frontend infrastructure. Shared stacks now include the CloudWatch observability dashboard. It accepts `tg_action` so the same graph can run a normal apply, upload derived per-stack plan artifacts to the resolved code bucket under `terragrunt_plan/`, or apply from previously uploaded plan artifacts. The wrapper workflows resolve one `plan_artifact_s3_prefix` and set it in the workflow env once, while each Terragrunt job passes the resolved deploy role into the repo-local Terragrunt action. That means each infra run has one shared `plan-metadata.json` file for the whole graph and one separate saved plan bundle per Terragrunt stack or module. In `apply_plan` mode, each stack job first downloads its own saved plan files via `justfile.tg` through the Terragrunt action, then the Terragrunt action validates and applies those local files. Its visible step labels now follow the high-level operation, so both direct apply and apply-from-plan render as `Apply` while plan still renders as `Plan`. The `security -> network` edge is a real bootstrap dependency because `network` reads security outputs like `vpc_endpoint_sg` from remote state; if those outputs do not exist yet, `network` fails with an upstream `Unsupported attribute` error rather than a networking-specific error. - The shared infra wrappers must forward the permissions required by the nested reusable call chain. In practice that means `id-token: write` everywhere the Terragrunt action may assume AWS OIDC and `contents: read` for checkout. The shared plan/apply wrappers now rely on AWS access to the shared code bucket rather than GitHub artifact permissions for cross-run recovery. - `shared_deploy.yml` - Rolls out Lambda code, optional migrations, optional reconciliation Lambdas, ECS task and service updates, and optional frontend deploys. The reusable workflow renders its Lambda and ECS CodeDeploy AppSpec files from the shared templates under `config/deploy/`, and its mutating `just` steps should target `justfile.deploy` rather than the repo-root `justfile`. + Rolls out Lambda code, optional migrations, optional reconciliation Lambdas, ECS task and service updates, and optional frontend deploys. Its multi-step AWS jobs now configure credentials once at job start and let the local `just` and Terragrunt actions reuse that ambient session. The reusable workflow renders its Lambda and ECS CodeDeploy AppSpec files from the shared templates under `config/deploy/`, and its mutating `just` steps should target `justfile.deploy` rather than the repo-root `justfile`. ```mermaid flowchart LR @@ -143,6 +143,7 @@ Run these checks on every CI, workflow, or deploy-contract change. - verify optional inputs are intentionally omitted, not accidentally missing - the repo-local `./.github/actions/terragrunt` action supports `tg_action: plan` for producing the binary plan locally; it renders `terragrunt.plan.txt` and writes `terragrunt.plan.meta.json` via `justfile.tg` (`terragrunt-plan-render`) - `./.github/actions/terragrunt` always uploads per-stack plan artifacts on `plan` and always downloads them on `apply_plan`, using the caller-provided `PLAN_ARTIFACT_S3_PREFIX` environment variable, so graph executors like `shared_infra.yml` do not need separate `./.github/actions/just` steps for those transfers +- both repo-local composite actions, `./.github/actions/just` and `./.github/actions/terragrunt`, now assume AWS credentials are already configured in the current job when they need AWS access. The repo pattern is to run `aws-actions/configure-aws-credentials` at the top of each AWS-using job and then call the local actions without extra auth inputs - saved infra-plan storage is intentionally split into two levels: - one run-level metadata file at `/infra-plan-metadata/plan-metadata.json` - one per-stack plan bundle under `/terragrunt-plan-/` diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 0b696c31..cf9c7075 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -22,6 +22,7 @@ permissions: env: TF_VAR_lambda_version: this AWS_OIDC_ROLE_ARN: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-${{ inputs.environment }}-github-oidc-role + AWS_REGION: ${{ vars.AWS_REGION }} DOMAIN_NAME: ${{ vars.DOMAIN_NAME }} jobs: @@ -35,10 +36,14 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy observability infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/observability tg_action: destroy @@ -55,10 +60,14 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Deploy ${{ matrix.value }} infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/${{ matrix.value }} tg_action: destroy @@ -68,6 +77,11 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy frontend infra uses: ./.github/actions/terragrunt env: @@ -78,7 +92,6 @@ jobs: TF_VAR_auth_hosted_ui_url: "https://destroy-placeholder" TF_VAR_auth_readonly_group_name: "readonly" with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/frontend tg_action: destroy @@ -91,12 +104,16 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy cognito infra uses: ./.github/actions/terragrunt env: TF_VAR_domain_name: ${{ env.DOMAIN_NAME }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/cognito tg_action: destroy @@ -111,13 +128,17 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy ${{ matrix.value }} infra uses: ./.github/actions/terragrunt env: TF_VAR_bootstrap: "true" TF_VAR_bootstrap_image_uri: "destroy-placeholder" with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/${{ matrix.value }} tg_action: destroy @@ -134,6 +155,11 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy ${{ matrix.value }} infra uses: ./.github/actions/terragrunt env: @@ -141,7 +167,6 @@ jobs: TF_VAR_debug_image_uri: "destroy-placeholder" TF_VAR_aws_otel_collector_image_uri: "destroy-placeholder" with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/${{ matrix.value }} tg_action: destroy @@ -155,10 +180,14 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy worker messaging infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/worker_messaging tg_action: destroy @@ -172,12 +201,16 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy database infra uses: ./.github/actions/terragrunt env: TF_VAR_database_security_group_id: "destroy-placeholder" with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/database tg_action: destroy @@ -192,10 +225,14 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy network infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/network tg_action: destroy @@ -208,10 +245,14 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy security infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/security tg_action: destroy @@ -224,10 +265,14 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy code uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/code_bucket tg_action: destroy @@ -240,10 +285,14 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy code uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/ecr tg_action: destroy @@ -257,9 +306,13 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Destroy cluster infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/cluster tg_action: destroy diff --git a/.github/workflows/shared_build.yml b/.github/workflows/shared_build.yml index a01afd5d..5b5d70b0 100644 --- a/.github/workflows/shared_build.yml +++ b/.github/workflows/shared_build.yml @@ -57,6 +57,7 @@ permissions: env: VERSION: ${{ inputs.lambda_version }} AWS_OIDC_ROLE_ARN: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-${{ inputs.environment }}-github-oidc-role + AWS_REGION: ${{ vars.AWS_REGION }} jobs: bucket: @@ -66,11 +67,15 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Get build artifact bucket id: deploy_bucket uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/code_bucket tg_action: init @@ -87,13 +92,17 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Upload frontend uses: ./.github/actions/just env: BUCKET_NAME: ${{ needs.bucket.outputs.code_bucket_name }} VERSION: ${{ inputs.frontend_version }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: frontend-build frontend-upload @@ -104,11 +113,15 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Get ECR infra id: get-ecr uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/ecr tg_action: init @@ -131,13 +144,17 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: "Build ${{ matrix.value }} ECS image" uses: ./.github/actions/just env: CONTAINER_NAME: ${{ matrix.value }} IMAGE_URI: ${{ needs.ecr.outputs.repository_url }}:${{ matrix.value }}-${{ inputs.ecs_version }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: docker-build docker-push @@ -168,6 +185,11 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: "Upload ${{ matrix.value }} Lambda" uses: ./.github/actions/just env: @@ -175,7 +197,6 @@ jobs: BUCKET_NAME: ${{ needs.bucket.outputs.code_bucket_name }} VERSION: ${{ inputs.lambda_version }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: lambda-build lambda-upload diff --git a/.github/workflows/shared_build_get.yml b/.github/workflows/shared_build_get.yml index 89f1655f..b95a6fa6 100644 --- a/.github/workflows/shared_build_get.yml +++ b/.github/workflows/shared_build_get.yml @@ -60,6 +60,7 @@ permissions: env: AWS_OIDC_ROLE_ARN: "arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-${{ inputs.environment }}-github-oidc-role" + AWS_REGION: ${{ vars.AWS_REGION }} jobs: bucket: @@ -71,11 +72,15 @@ jobs: with: ref: ${{ inputs.lambda_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Get code bucket outputs uses: ./.github/actions/terragrunt id: code_action with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/code_bucket tg_action: init @@ -106,11 +111,15 @@ jobs: with: ref: ${{ inputs.lambda_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Get ECR infra id: get-ecr uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/ecr tg_action: init @@ -145,6 +154,11 @@ jobs: with: ref: ${{ inputs.lambda_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Get ECR version images id: get_version_images uses: ./.github/actions/just @@ -152,7 +166,6 @@ jobs: REPOSITORY_URL: ${{ needs.ecr.outputs.repository_url }} VERSION: ${{ inputs.ecs_version != '' && inputs.ecs_version || inputs.lambda_version }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.ci just_action: get-ecr-version-images @@ -186,7 +199,6 @@ jobs: REPOSITORY_URL: ${{ needs.ecr.outputs.repository_url }} VERSION: ${{ inputs.ecs_version != '' && inputs.ecs_version || inputs.lambda_version }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.ci just_action: get-ecr-version-tasks @@ -207,13 +219,17 @@ jobs: with: ref: ${{ inputs.lambda_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Check frontend version exists uses: ./.github/actions/just env: BUCKET_NAME: ${{ needs.bucket.outputs.code_bucket_name }} VERSION: ${{ inputs.frontend_version != '' && inputs.frontend_version || inputs.lambda_version }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.ci just_action: frontend-check-version @@ -229,13 +245,17 @@ jobs: with: ref: ${{ inputs.lambda_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Check Lambda version exists uses: ./.github/actions/just env: BUCKET_NAME: ${{ needs.bucket.outputs.code_bucket_name }} VERSION: ${{ inputs.lambda_version }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.ci just_action: lambda-check-version @@ -246,7 +266,6 @@ jobs: BUCKET_NAME: ${{ needs.bucket.outputs.code_bucket_name }} VERSION: ${{ inputs.lambda_version }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.ci just_action: get-version-files @@ -257,6 +276,5 @@ jobs: BUCKET_NAME: ${{ needs.bucket.outputs.code_bucket_name }} VERSION: ${{ inputs.lambda_version }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.ci just_action: get-version-file-keys diff --git a/.github/workflows/shared_deploy.yml b/.github/workflows/shared_deploy.yml index ad82d1e0..b7f6f8a9 100644 --- a/.github/workflows/shared_deploy.yml +++ b/.github/workflows/shared_deploy.yml @@ -60,6 +60,12 @@ jobs: value: ${{ fromJson(inputs.lambda_matrix) }} steps: - uses: actions/checkout@v6 + + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Set AppSpec paths id: appspec shell: bash @@ -73,7 +79,6 @@ jobs: uses: ./.github/actions/terragrunt id: get-infra with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/${{ matrix.value }} tg_action: init @@ -93,7 +98,6 @@ jobs: FUNCTION_NAME: ${{ steps.get_infra_detail.outputs.lambda_function_name }} LAMBDA_ZIP_KEY: ${{ steps.appspec.outputs.lambda_zip_key }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: lambda-create-version @@ -104,7 +108,6 @@ jobs: FUNCTION_NAME: ${{ steps.get_infra_detail.outputs.lambda_function_name }} ALIAS_NAME: ${{ steps.get_infra_detail.outputs.lambda_alias_name }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: lambda-get-version @@ -120,7 +123,6 @@ jobs: APP_SPEC_FILE: ${{ github.workspace }}/config/deploy/appspec-lambda.rendered.yml APP_SPEC_KEY: ${{ steps.appspec.outputs.lambda_appspec_key }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: lambda-upload-bundle lambda-set-code-deploy-alarms lambda-deploy lambda-prune @@ -130,6 +132,12 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + if: ${{ contains(fromJson(inputs.lambda_matrix), 'migrations') }} + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Skip when migrations is not in the lambda matrix if: ${{ !contains(fromJson(inputs.lambda_matrix), 'migrations') }} run: echo "No migrations Lambda in this deploy matrix." @@ -139,7 +147,6 @@ jobs: uses: ./.github/actions/terragrunt id: get-infra with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/migrations tg_action: init @@ -157,7 +164,6 @@ jobs: env: LAMBDA_NAME: ${{ steps.get_infra_detail.outputs.lambda_function_name }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: lambda-invoke @@ -167,6 +173,12 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + if: ${{ contains(fromJson(inputs.lambda_matrix), 'rds_reader_tagger') }} + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Skip when rds_reader_tagger is not in the lambda matrix if: ${{ !contains(fromJson(inputs.lambda_matrix), 'rds_reader_tagger') }} run: echo "No rds_reader_tagger Lambda in this deploy matrix." @@ -176,7 +188,6 @@ jobs: uses: ./.github/actions/terragrunt id: get-infra with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/rds_reader_tagger tg_action: init @@ -194,7 +205,6 @@ jobs: env: LAMBDA_NAME: ${{ steps.get_infra_detail.outputs.lambda_function_name }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: lambda-invoke @@ -207,11 +217,15 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Get frontend infra uses: ./.github/actions/terragrunt id: get-infra with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/frontend tg_action: init @@ -231,7 +245,6 @@ jobs: WEBSITE_BUCKET: ${{ steps.get_infra_detail.outputs.website_bucket }} DISTRIBUTION_ID: ${{ steps.get_infra_detail.outputs.distribution_id }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: frontend-deploy frontend-invalidate @@ -244,6 +257,11 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Resolve image URIs id: image_uris env: @@ -270,7 +288,6 @@ jobs: TF_VAR_debug_image_uri: ${{ steps.task_inputs.outputs.debug_image_uri }} TF_VAR_aws_otel_collector_image_uri: ${{ steps.task_inputs.outputs.otel_image_uri }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/task_${{ matrix.value }} ecs: @@ -283,11 +300,15 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Get ${{ matrix.value }} task infra uses: ./.github/actions/terragrunt id: get-task-infra with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/task_${{ matrix.value }} tg_action: init @@ -303,7 +324,6 @@ jobs: uses: ./.github/actions/terragrunt id: get-service-infra with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/service_${{ matrix.value }} tg_action: init @@ -342,7 +362,6 @@ jobs: CONTAINER_NAME: ${{ steps.get-task-outputs.outputs.container_name }} CONTAINER_PORT: ${{ steps.get-service-outputs.outputs.container_port }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: ecs-upload-bundle @@ -355,7 +374,6 @@ jobs: CODE_DEPLOY_APP_NAME: ${{ steps.get-service-outputs.outputs.codedeploy_app_name }} CODE_DEPLOY_GROUP_NAME: ${{ steps.get-service-outputs.outputs.codedeploy_group_name }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: ecs-deploy @@ -367,6 +385,5 @@ jobs: SERVICE_NAME: ${{ steps.get-service-outputs.outputs.service_name }} TASK_DEFINITION_ARN: ${{ steps.get-task-outputs.outputs.task_definition_arn }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: ecs-rolling-deploy diff --git a/.github/workflows/shared_infra.yml b/.github/workflows/shared_infra.yml index e116a46b..c0fd3f85 100644 --- a/.github/workflows/shared_infra.yml +++ b/.github/workflows/shared_infra.yml @@ -51,6 +51,7 @@ permissions: env: AWS_OIDC_ROLE_ARN: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-${{ inputs.environment }}-github-oidc-role + AWS_REGION: ${{ vars.AWS_REGION }} DOMAIN_NAME: ${{ vars.DOMAIN_NAME }} PLAN_ARTIFACT_S3_PREFIX: ${{ inputs.plan_artifact_s3_prefix }} TG_ACTION_LABEL: ${{ (inputs.tg_action == 'apply' || inputs.tg_action == 'apply_plan') && 'Apply' || inputs.tg_action == 'plan' && 'Plan' || inputs.tg_action == 'destroy' && 'Destroy' || inputs.tg_action == 'init' && 'Init' || 'Run' }} @@ -63,10 +64,14 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: ${{ env.TG_ACTION_LABEL }} oidc role infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/oidc tg_action: ${{ inputs.tg_action }} @@ -78,10 +83,14 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: ${{ env.TG_ACTION_LABEL }} worker messaging infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/worker_messaging tg_action: ${{ inputs.tg_action }} @@ -93,10 +102,14 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: ${{ env.TG_ACTION_LABEL }} observability infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/observability tg_action: ${{ inputs.tg_action }} @@ -108,12 +121,16 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: ${{ env.TG_ACTION_LABEL }} cognito infra uses: ./.github/actions/terragrunt env: TF_VAR_domain_name: ${{ env.DOMAIN_NAME }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/cognito tg_action: ${{ inputs.tg_action }} @@ -127,12 +144,16 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Get network infra if: inputs.tg_action != 'apply_plan' uses: ./.github/actions/terragrunt id: get-network with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/network tg_action: init @@ -143,7 +164,6 @@ jobs: env: TF_VAR_domain_name: ${{ env.DOMAIN_NAME }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/cognito tg_action: init @@ -176,7 +196,6 @@ jobs: TF_VAR_auth_hosted_ui_url: ${{ inputs.tg_action == 'apply_plan' && '' || steps.get_cognito_vars.outputs.hosted_ui_url }} TF_VAR_auth_readonly_group_name: ${{ inputs.tg_action == 'apply_plan' && '' || steps.get_cognito_vars.outputs.readonly_group_name }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/frontend tg_action: ${{ inputs.tg_action }} @@ -188,10 +207,14 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: ${{ env.TG_ACTION_LABEL }} cluster infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/cluster tg_action: ${{ inputs.tg_action }} @@ -205,11 +228,15 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: ${{ env.TG_ACTION_LABEL }} security infra id: deploy-security uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/security tg_action: ${{ inputs.tg_action }} @@ -231,12 +258,16 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: ${{ env.TG_ACTION_LABEL }} database infra uses: ./.github/actions/terragrunt env: TF_VAR_database_security_group_id: ${{ needs.security.outputs.postgres_sg }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/database tg_action: ${{ inputs.tg_action }} @@ -250,10 +281,14 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: ${{ env.TG_ACTION_LABEL }} network infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/network tg_action: ${{ inputs.tg_action }} @@ -274,10 +309,14 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: ${{ env.TG_ACTION_LABEL }} ${{ matrix.value }} infra uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/${{ matrix.value }} tg_action: ${{ inputs.tg_action }} @@ -299,12 +338,16 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: ${{ env.TG_ACTION_LABEL }} ${{ matrix.value }} bootstrap service infra uses: ./.github/actions/terragrunt env: TF_VAR_bootstrap: "true" TF_VAR_bootstrap_image_uri: ${{ inputs.bootstrap_image_uri }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/${{ matrix.value }} tg_action: ${{ inputs.tg_action }} diff --git a/.github/workflows/shared_infra_apply_from_plan.yml b/.github/workflows/shared_infra_apply_from_plan.yml index 6f27d600..eca062ca 100644 --- a/.github/workflows/shared_infra_apply_from_plan.yml +++ b/.github/workflows/shared_infra_apply_from_plan.yml @@ -19,6 +19,7 @@ permissions: env: AWS_OIDC_ROLE_ARN: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-${{ inputs.environment }}-github-oidc-role + AWS_REGION: ${{ vars.AWS_REGION }} ARTIFACT_ENVIRONMENT: ${{ inputs.environment == 'dev' && 'dev' || 'ci' }} ARTIFACT_AWS_OIDC_ROLE_ARN: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-${{ inputs.environment == 'dev' && 'dev' || 'ci' }}-github-oidc-role @@ -35,11 +36,15 @@ jobs: steps: - uses: actions/checkout@v6 + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.ARTIFACT_AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Get shared code bucket outputs uses: ./.github/actions/terragrunt id: code_action with: - aws_oidc_role_arn: ${{ env.ARTIFACT_AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ env.ARTIFACT_ENVIRONMENT }}/aws/code_bucket tg_action: init @@ -66,7 +71,6 @@ jobs: env: PLAN_ARTIFACT_S3_PREFIX: ${{ steps.plan_artifact_s3_prefix.outputs.just_outputs }} with: - aws_oidc_role_arn: ${{ env.ARTIFACT_AWS_OIDC_ROLE_ARN }} justfile_path: justfile.ci just_action: infra-plan-metadata-download diff --git a/.github/workflows/shared_infra_plan.yml b/.github/workflows/shared_infra_plan.yml index 508b6e87..6ad67abf 100644 --- a/.github/workflows/shared_infra_plan.yml +++ b/.github/workflows/shared_infra_plan.yml @@ -40,6 +40,7 @@ permissions: env: AWS_OIDC_ROLE_ARN: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-${{ inputs.environment }}-github-oidc-role + AWS_REGION: ${{ vars.AWS_REGION }} jobs: metadata: @@ -51,6 +52,11 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Get plan artifact S3 prefix id: plan_artifact_s3_prefix uses: ./.github/actions/just @@ -80,7 +86,6 @@ jobs: env: PLAN_ARTIFACT_S3_PREFIX: ${{ steps.plan_artifact_s3_prefix.outputs.just_outputs }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.ci just_action: infra-plan-metadata-upload diff --git a/.github/workflows/shared_infra_releases.yml b/.github/workflows/shared_infra_releases.yml index 25f0db4f..df69d5aa 100644 --- a/.github/workflows/shared_infra_releases.yml +++ b/.github/workflows/shared_infra_releases.yml @@ -32,6 +32,7 @@ permissions: env: AWS_OIDC_ROLE_ARN: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-${{ inputs.environment }}-github-oidc-role + AWS_REGION: ${{ vars.AWS_REGION }} jobs: ecr: @@ -44,11 +45,15 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Deploy ECR id: deploy_ecr uses: ./.github/actions/terragrunt with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/ecr - name: Get ECR repository url @@ -64,7 +69,6 @@ jobs: SOURCE_IMAGE: nginx:latest IMAGE_URI: ${{ steps.get_repository_url.outputs.repository_url }}:bootstrap-${{ inputs.infra_version }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} justfile_path: justfile.deploy just_action: docker-mirror docker-push @@ -84,6 +88,11 @@ jobs: with: ref: ${{ inputs.infra_version }} + - uses: aws-actions/configure-aws-credentials@v6 + with: + role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }} + aws-region: ${{ env.AWS_REGION }} + - name: Read Lambda artifact dir id: lambda_artifact_dir uses: ./.github/actions/just @@ -121,7 +130,6 @@ jobs: TF_VAR_appspec_artifact_dir: ${{ steps.appspec_artifact_dir.outputs.just_outputs }} TF_VAR_infra_plan_dir: ${{ steps.infra_plan_dir.outputs.just_outputs }} with: - aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/code_bucket - name: Get bucket name From 67fe3c7130f3ed700f41859fdaafacc19b989a9c Mon Sep 17 00:00:00 2001 From: chrispsheehan Date: Tue, 28 Apr 2026 12:53:08 +0100 Subject: [PATCH 2/2] chore: prod to 0.19.13 --- .github/workflows/prod_infra_apply.yml | 8 ++++---- .github/workflows/prod_infra_plan.yml | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/prod_infra_apply.yml b/.github/workflows/prod_infra_apply.yml index f9f81e19..3fcbd64a 100644 --- a/.github/workflows/prod_infra_apply.yml +++ b/.github/workflows/prod_infra_apply.yml @@ -14,9 +14,9 @@ jobs: uses: ./.github/workflows/shared_build_get.yml with: environment: ci - lambda_version: 0.9.4 - frontend_version: 0.9.4 - ecs_version: 0.9.4 + lambda_version: 0.19.13 + frontend_version: 0.19.13 + ecs_version: 0.19.13 infra: name: Apply @@ -25,7 +25,7 @@ jobs: uses: ./.github/workflows/shared_infra_apply.yml with: environment: prod - infra_version: 0.9.4 + infra_version: 0.19.13 code_bucket: ${{ needs.get_build.outputs.code_bucket }} lambda_matrix: ${{ needs.get_build.outputs.lambda_version_files }} bootstrap_image_uri: ${{ needs.get_build.outputs.bootstrap_image_uri }} diff --git a/.github/workflows/prod_infra_plan.yml b/.github/workflows/prod_infra_plan.yml index 34223cf2..35f94ea8 100644 --- a/.github/workflows/prod_infra_plan.yml +++ b/.github/workflows/prod_infra_plan.yml @@ -11,17 +11,17 @@ on: lambda_version: description: "Release version to plan" required: true - default: "0.9.4" + default: "0.19.13" type: string frontend_version: description: "Frontend version to plan" required: true - default: "0.9.4" + default: "0.19.13" type: string ecs_version: description: "ECS version to plan" required: true - default: "0.9.4" + default: "0.19.13" type: string permissions: