Develop

.github/workflows/terraform-dev.yml

@@ -0,0 +1,72 @@
+name: "[DEV] - Terraform Deployment"
+
+on:
+  push:
+    branches:
+      - develop
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.8.3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::179916804929:role/BuildRun-GithubActions-Role
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Read destroy configuration
+        id: read-destroy-config
+        run: |
+          DESTROY_DEV="$(jq -r '.dev' ./infra/destroy_config.json)"
+          echo "destroy_dev=$(echo $DESTROY_DEV)" >> $GITHUB_OUTPUT
+
+      - name: Terraform Init
+        run: |
+          cd infra && terraform init \
+            -backend-config="bucket=${{ vars.TERRAFORM_S3_STATEFILE_BUCKET }}" \
+            -backend-config="key=${{ github.event.repository.name }}" \
+            -backend-config="region=${{ env.AWS_REGION }}" \
+            -backend-config="dynamodb_table=${{ vars.TERRAFORM_DYNAMODB_LOCK_TABLE }}"
+
+      - name: Terraform Validate
+        run: terraform validate
+
+      - name: Terraform Destroy for Dev
+        if: steps.read-destroy-config.outputs.destroy_dev == 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
+        id: terraform-destroy-dev
+        run: cd infra &&
+          terraform workspace select dev || terraform workspace new dev &&
+          terraform destroy -var-file="./envs/dev/terraform.tfvars" -auto-approve
+
+      - name: Terraform Plan for Dev
+        if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
+        id: terraform-plan-dev
+        run: cd infra &&
+          terraform workspace select dev || terraform workspace new dev &&
+          terraform plan -var-file="./envs/dev/terraform.tfvars" -out=dev.plan
+
+      - name: Terraform Apply for Dev
+        id: terraform-apply-dev
+        if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
+        run: cd infra &&
+          terraform workspace select dev || terraform workspace new dev &&
+          terraform apply "dev.plan"

.github/workflows/terraform.yml → .github/workflows/terraform-prod.yml

@@ -1,11 +1,14 @@
-name: Terraform Deployment
+name: "[PROD] - Terraform Deployment"
 
 on:
   push:
     branches:
-      - develop
       - main
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   terraform:
     runs-on: ubuntu-latest
@@ -16,27 +19,27 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: 1.8.3
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::179916804929:role/BuildRun-GithubActions-Role #change to reflect your IAM role’s ARN
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
           aws-region: ${{ vars.AWS_REGION }}
 
       - name: Read destroy configuration
         id: read-destroy-config
         run: |
           DESTROY_DEV="$(jq -r '.dev' ./infra/destroy_config.json)"
           DESTROY_PROD="$(jq -r '.prod' ./infra/destroy_config.json)"
-          echo "::set-output name=destroy_dev::$DESTROY_DEV"
-          echo "::set-output name=destroy_prod::$DESTROY_PROD"
+          echo "destroy_dev=$(echo $DESTROY_DEV)" >> $GITHUB_OUTPUT
+          echo "destroy_prod=$(echo $DESTROY_PROD)" >> $GITHUB_OUTPUT
 
       - name: Terraform Init
         run: |
@@ -49,27 +52,6 @@ jobs:
       - name: Terraform Validate
         run: terraform validate
 
-      - name: Terraform Destroy for Dev
-        if: steps.read-destroy-config.outputs.destroy_dev == 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
-        id: terraform-destroy-dev
-        run: cd infra &&
-          terraform workspace select dev || terraform workspace new dev &&
-          terraform destroy -var-file="./envs/dev/terraform.tfvars" -auto-approve
-
-      - name: Terraform Plan for Dev
-        if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
-        id: terraform-plan-dev
-        run: cd infra &&
-          terraform workspace select dev || terraform workspace new dev &&
-          terraform plan -var-file="./envs/dev/terraform.tfvars" -out=dev.plan
-
-      - name: Terraform Apply for Dev
-        id: terraform-apply-dev
-        if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
-        run: cd infra &&
-          terraform workspace select dev || terraform workspace new dev &&
-          terraform apply "dev.plan"
-
       - name: Terraform Destroy for Prod
         if: steps.read-destroy-config.outputs.destroy_prod == 'true' && github.ref == 'refs/heads/main' && github.event_name == 'push'
         id: terraform-destroy-prod