VED-1223: Update permissions to auto-ops role so the pipeline can apply terraform changes at account level (#1384)

* Add account-level Terraform workflow and integrate with existing CI/CD pipelines

- Introduced a new GitHub Actions workflow for managing account-level Terraform operations, including planning, manual approval, and applying changes.
- Updated `continuous-deployment.yml` and `pr-deploy-and-test.yml` to utilize the new account-terraform workflow, ensuring infrastructure changes are detected and processed.
- Enhanced Makefile with new targets for CI-specific Terraform commands.
- Added a script to resolve the Terraform state bucket dynamically based on the configured environment.
- Updated IAM policy to include permissions for AWS Shield operations.

* Add bucket name validation to Makefile and improve bucket resolution script

- Introduced a new function in the Makefile to ensure the BUCKET_NAME variable is set before executing Terraform commands.
- Updated the bucket resolution script to trim whitespace from the CONFIGURED_ACCOUNT_TERRAFORM_STATE_BUCKET variable, enhancing reliability in detecting the configured bucket.

* Enhance bucket name resolution with validation in account-terraform workflow

- Added validation to ensure the resolved bucket name is not empty, improving error handling in the GitHub Actions workflow.
- Updated the script execution to store the bucket name in a variable before outputting, enhancing clarity and maintainability.

* Add state bucket environment input to workflows and update bucket resolution script

- Introduced a new optional input `state_bucket_environment` in the `account-terraform.yml` workflow to allow dynamic configuration.
- Updated `continuous-deployment.yml` and `pr-deploy-and-test.yml` workflows to set the `state_bucket_environment` for internal development.
- Enhanced the bucket resolution script to utilize the `ACCOUNT_TERRAFORM_STATE_ENVIRONMENT` variable for improved bucket naming based on the environment.

* Enhance Terraform workspace handling in workflows and bucket resolution script

- Added `ACCOUNT_TERRAFORM_WORKSPACE` input to the `account-terraform.yml` workflow for improved workspace management.
- Updated the bucket resolution script to validate the `ACCOUNT_TERRAFORM_WORKSPACE` variable and incorporate it into the state key for better bucket identification.
- Enhanced error handling to ensure the workspace is set before proceeding with bucket resolution.

* Enhance bucket resolution script and workflow logging

- Added a new function to the bucket resolution script to check if the bucket matches the account state, improving accuracy in identifying the correct bucket.
- Updated the workflow to log the resolved bucket name, enhancing visibility during execution and debugging.

* Refactor bucket resolution script to output bucket name and exit

- Updated the `resolve_account_terraform_state_bucket.sh` script to print the formatted bucket name based on the `state_bucket_environment` variable.
- Removed the previous logic for adding candidate buckets, simplifying the script's flow when the environment variable is set.

* Refactor bucket resolution script to improve whitespace handling and error messaging

- Simplified the script by introducing a `trim` function to handle whitespace for the `CONFIGURED_ACCOUNT_TERRAFORM_STATE_BUCKET` and `ACCOUNT_TERRAFORM_STATE_ENVIRONMENT` variables.
- Enhanced error handling to ensure the `ACCOUNT_TERRAFORM_STATE_ENVIRONMENT` variable is set when the configured bucket is not provided, improving clarity in user feedback.

* Update account-terraform workflow to conditionally set bucket name based on environment

- Modified the `CONFIGURED_ACCOUNT_TERRAFORM_STATE_BUCKET` variable to use a conditional expression, allowing for a default bucket name when the environment is 'dev'.
- Removed the `ACCOUNT_TERRAFORM_WORKSPACE` variable from the environment settings to streamline the workflow.

* Refactor account-terraform workflow to streamline job dependencies and conditions

- Consolidated the account-terraform jobs by removing unnecessary manual approval and not-required stages, simplifying the workflow.
- Updated conditions for the account-terraform-apply job to ensure it only runs when infrastructure changes are detected.
- Enhanced the account-terraform-plan job to skip execution when no changes are present, improving efficiency.

* Enhance account-terraform workflow to improve change detection logging

- Updated the change detection logic to store and log specific files that have changed within the `infrastructure/account/` directory, enhancing visibility during workflow execution.
- Ensured that the workflow outputs a clear indication of whether account infrastructure changes are present, improving debugging and tracking of modifications.

* Update pr-deploy-and-test workflow to enhance SHA handling during synchronization

- Modified the logic for setting `base_sha` and `diff_base_sha` to account for the 'synchronize' action, ensuring accurate detection of changes when pull requests are updated.
- Improved the workflow's responsiveness to changes, enhancing overall efficiency in deployment and testing processes.

* Enhance account-terraform workflow to improve environment variable handling

- Added environment variables for base SHA, head SHA, and environment to streamline the Terraform job configurations.
- Updated the workflow steps to utilize these environment variables, improving clarity and maintainability in the execution of Terraform commands.

* Enhance account-terraform workflow with improved SHA validation and environment variable usage

- Added validation for base and head SHA variables to ensure they are correctly formatted before proceeding with change detection.
- Updated the workflow to utilize an environment variable for the bucket name in Terraform initialization steps, enhancing clarity and maintainability.

* Refactor account-terraform workflow and bucket resolution script for improved change detection and whitespace handling

- Updated the SHA validation logic in the account-terraform workflow to use more efficient conditional expressions.
- Enhanced change detection by directly capturing modified files in the `infrastructure/account/` directory, improving logging clarity.
- Refined the `trim` function in the bucket resolution script to handle whitespace more effectively, ensuring accurate bucket name processing.

* Refactor account-terraform workflow and bucket resolution script for improved clarity and efficiency

- Introduced environment variables for the configured bucket and state environment directly in the workflow, enhancing maintainability.
- Simplified the bucket resolution logic in the script by condensing conditional checks, improving readability and error handling.
- Streamlined the workflow steps to directly capture the bucket name output, reducing unnecessary complexity.

* Refactor account-terraform workflow and bucket resolution script for enhanced validation and clarity

- Consolidated SHA validation logic in the account-terraform workflow to improve efficiency and readability.
- Streamlined change detection output by directly capturing the status of account infrastructure changes.
- Simplified the bucket resolution script by removing unnecessary functions and utilizing direct variable assignment for improved clarity.

* Update base_sha logic in pr-deploy-and-test workflow to simplify SHA handling for pull requests. Removed conditional check for 'synchronize' action to ensure consistent base SHA retrieval.

* chore: empty commit

* chore: empty commit

* Enhance account-terraform workflow by adding manual approval step before apply phase

- Introduced a new job for manual approval after the plan phase, ensuring that changes are reviewed before application.
- Updated the apply job to depend on the approval step, enhancing control over the deployment process.

* Fix description in ECR lifecycle policy to include a period for consistency.

* Refactor account-terraform workflow to enhance input handling and artifact naming

- Updated workflow name for clarity.
- Added support for manual input parameters including environment selection and optional artifact naming.
- Improved handling of SHA values for better consistency in deployment processes.
- Streamlined artifact name generation to ensure clarity and avoid potential conflicts.

* Enhance account-terraform workflow and scripts for improved stability and clarity

- Added ACCOUNT_TERRAFORM_VERSION environment variable for consistent Terraform versioning.
- Increased job timeout to 30 minutes for both planning and applying stages.
- Updated role-session-name format for better traceability in AWS actions.
- Modified Makefile to streamline Terraform apply command.
- Added validation for ACCOUNT_TERRAFORM_STATE_ENVIRONMENT in the state bucket resolution script to enforce correct environment values.

* Enhance account-terraform workflow with attestation support

- Added permissions for attestations and artifact metadata in the workflow.
- Introduced steps for attesting the Terraform plan and verifying the attestation.
- Improved overall security and traceability of the Terraform deployment process.

* chore: empty commit

* chore: empty commit

Author: Thomas-Boyle

.github/workflows/account-terraform.yml

@@ -0,0 +1,228 @@
+name: Apply Account Terraform
+
+on:
+  workflow_call:
+    inputs:
+      base_sha:
+        required: true
+        type: string
+      head_sha:
+        required: true
+        type: string
+      environment:
+        required: true
+        type: string
+      state_bucket_environment:
+        required: false
+        type: string
+        default: ""
+      artifact_name:
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Select AWS account environment
+        required: true
+        type: choice
+        options:
+          - dev
+          - preprod
+          - prod
+      state_bucket_environment:
+        description: Override state bucket environment
+        required: false
+        type: string
+        default: ""
+      base_sha:
+        description: Base commit SHA for diff checks. Leave blank to use previous commit.
+        required: false
+        type: string
+        default: ""
+      head_sha:
+        description: Head commit SHA for diff checks. Leave blank to use current commit.
+        required: false
+        type: string
+        default: ""
+      artifact_name:
+        description: Optional Terraform plan artifact name
+        required: false
+        type: string
+        default: ""
+
+run-name: Apply Account Terraform - ${{ inputs.environment }}
+
+concurrency:
+  group: account-terraform-${{ github.repository }}-${{ inputs.environment }}
+  cancel-in-progress: false
+
+env:
+  CONFIGURED_ACCOUNT_TERRAFORM_STATE_BUCKET: ${{ vars.ACCOUNT_TERRAFORM_STATE_BUCKET || (inputs.environment == 'dev' && 'immunisation-terraform-state-files' || '') }}
+  ACCOUNT_TERRAFORM_STATE_ENVIRONMENT: ${{ inputs.state_bucket_environment }}
+  ACCOUNT_TERRAFORM_ARTIFACT_NAME: ${{ inputs.artifact_name || format('{0}-account-tfplan-{1}', inputs.environment, github.run_attempt) }}
+  ACCOUNT_TERRAFORM_VERSION: "1.12.2"
+
+jobs:
+  account-terraform-plan:
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
+      artifact-metadata: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    environment:
+      name: ${{ inputs.environment }}
+    env:
+      ACCOUNT_TERRAFORM_BASE_SHA: ${{ inputs.base_sha }}
+      ACCOUNT_TERRAFORM_HEAD_SHA: ${{ inputs.head_sha || github.sha }}
+      ACCOUNT_TERRAFORM_ENVIRONMENT: ${{ inputs.environment }}
+    outputs:
+      account_infra_changed: ${{ steps.diff.outputs.account_infra_changed }}
+      plan_sha: ${{ env.ACCOUNT_TERRAFORM_HEAD_SHA }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
+        with:
+          fetch-depth: 0
+
+      - name: Detect account terraform changes
+        id: diff
+        run: |
+          base_sha="$ACCOUNT_TERRAFORM_BASE_SHA"
+          head_sha="$ACCOUNT_TERRAFORM_HEAD_SHA"
+
+          if [[ -z "$base_sha" || "$base_sha" == "0000000000000000000000000000000000000000" ]]; then
+            base_sha=$(git rev-parse HEAD~1)
+          fi
+
+          for sha_name in base_sha head_sha; do
+            if [[ ! "${!sha_name}" =~ ^[0-9a-f]{40}$ ]]; then
+              echo "Invalid $sha_name: ${!sha_name}" >&2
+              exit 1
+            fi
+          done
+
+          account_changed_files=$(git diff --name-only "$base_sha" "$head_sha" -- infrastructure/account)
+          if [ -n "$account_changed_files" ]; then
+            echo "changes detected in files:"
+            printf '%s\n' "$account_changed_files"
+          fi
+          echo "account_infra_changed=$( [ -n "$account_changed_files" ] && echo true || echo false )" >> "$GITHUB_OUTPUT"
+
+      - name: Connect to AWS
+        if: ${{ steps.diff.outputs.account_infra_changed == 'true' }}
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
+          role-session-name: ${{ format('github-actions-{0}-{1}-{2}', github.run_id, github.run_attempt, github.job) }}
+
+      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
+        if: ${{ steps.diff.outputs.account_infra_changed == 'true' }}
+        with:
+          terraform_version: ${{ env.ACCOUNT_TERRAFORM_VERSION }}
+
+      - name: Resolve account terraform state bucket
+        id: account-state-bucket
+        if: ${{ steps.diff.outputs.account_infra_changed == 'true' }}
+        run: echo "bucket_name=$(bash ./utilities/scripts/resolve_account_terraform_state_bucket.sh)" >> "$GITHUB_OUTPUT"
+
+      - name: Terraform Init (account)
+        if: ${{ steps.diff.outputs.account_infra_changed == 'true' }}
+        working-directory: infrastructure/account
+        env:
+          ACCOUNT_TERRAFORM_BUCKET_NAME: ${{ steps.account-state-bucket.outputs.bucket_name }}
+        run: make init ENVIRONMENT="$ACCOUNT_TERRAFORM_ENVIRONMENT" BUCKET_NAME="$ACCOUNT_TERRAFORM_BUCKET_NAME"
+
+      - name: Terraform Plan (account)
+        # Ignore cancellations to prevent Terraform from being killed while it holds a state lock
+        # A stuck process can still be killed with the force-cancel API operation
+        if: ${{ steps.diff.outputs.account_infra_changed == 'true' && !failure() }}
+        working-directory: infrastructure/account
+        run: make plan-ci ENVIRONMENT="$ACCOUNT_TERRAFORM_ENVIRONMENT"
+
+      - name: Save Account Terraform Plan
+        if: ${{ steps.diff.outputs.account_infra_changed == 'true' }}
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        with:
+          name: ${{ env.ACCOUNT_TERRAFORM_ARTIFACT_NAME }}
+          path: infrastructure/account/tfplan
+
+      - name: Attest Account Terraform Plan
+        if: ${{ steps.diff.outputs.account_infra_changed == 'true' }}
+        uses: actions/attest@v4
+        with:
+          subject-path: infrastructure/account/tfplan
+
+  account-terraform-approval:
+    permissions: {}
+    needs: [account-terraform-plan]
+    if: ${{ !cancelled() && needs.account-terraform-plan.result == 'success' && needs.account-terraform-plan.outputs.account_infra_changed == 'true' }}
+    runs-on: ubuntu-latest
+    environment:
+      name: account-apply-${{ inputs.environment }}
+    steps:
+      - name: Await manual approval
+        run: echo "Manual approval granted"
+
+  account-terraform-apply:
+    permissions:
+      id-token: write
+      contents: read
+      attestations: read
+    needs: [account-terraform-plan, account-terraform-approval]
+    if: ${{ !cancelled() && needs.account-terraform-plan.result == 'success' && needs.account-terraform-plan.outputs.account_infra_changed == 'true' && needs.account-terraform-approval.result == 'success' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    environment:
+      name: ${{ inputs.environment }}
+    env:
+      ACCOUNT_TERRAFORM_ENVIRONMENT: ${{ inputs.environment }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
+        with:
+          ref: ${{ needs.account-terraform-plan.outputs.plan_sha }}
+
+      - name: Connect to AWS
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
+          role-session-name: ${{ format('github-actions-{0}-{1}-{2}', github.run_id, github.run_attempt, github.job) }}
+
+      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
+        with:
+          terraform_version: ${{ env.ACCOUNT_TERRAFORM_VERSION }}
+
+      - name: Resolve account terraform state bucket
+        id: account-state-bucket
+        run: echo "bucket_name=$(bash ./utilities/scripts/resolve_account_terraform_state_bucket.sh)" >> "$GITHUB_OUTPUT"
+
+      - name: Retrieve Account Terraform Plan
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
+        with:
+          name: ${{ env.ACCOUNT_TERRAFORM_ARTIFACT_NAME }}
+          path: infrastructure/account
+
+      - name: Verify Account Terraform Plan Attestation
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh attestation verify infrastructure/account/tfplan \
+            --repo "$GITHUB_REPOSITORY" \
+            --signer-workflow "$GITHUB_REPOSITORY/.github/workflows/account-terraform.yml"
+
+      - name: Terraform Init (account)
+        working-directory: infrastructure/account
+        env:
+          ACCOUNT_TERRAFORM_BUCKET_NAME: ${{ steps.account-state-bucket.outputs.bucket_name }}
+        run: make init ENVIRONMENT="$ACCOUNT_TERRAFORM_ENVIRONMENT" BUCKET_NAME="$ACCOUNT_TERRAFORM_BUCKET_NAME"
+
+      - name: Terraform Apply (account)
+        # Ignore cancellations to prevent Terraform from being killed while it holds a state lock
+        # A stuck process can still be killed with the force-cancel API operation
+        if: ${{ !failure() }}
+        working-directory: infrastructure/account
+        run: make apply-ci ENVIRONMENT="$ACCOUNT_TERRAFORM_ENVIRONMENT"

.github/workflows/pr-deploy-and-test.yml

@@ -21,7 +21,7 @@ jobs:
     with:
       apigee_environment: internal-dev
       build_recordprocessor_image: ${{ github.event.action == 'opened' || github.event.action == 'reopened' }}
-      diff_base_sha: ${{ github.event.before }}
+      diff_base_sha: ${{ github.event.action == 'synchronize' && github.event.before || github.event.pull_request.base.sha }}
       diff_head_sha: ${{ github.event.pull_request.head.sha }}
       run_diff_check: ${{ github.event.action == 'synchronize' }}
       create_mns_subscription: true

infrastructure/account/Makefile

@@ -6,6 +6,13 @@ tf_cmd = AWS_PROFILE=$(AWS_PROFILE) terraform
 tf_state= -backend-config="bucket=$(BUCKET_NAME)"
 tf_vars= -var-file=environments/$(ENVIRONMENT)/variables.tfvars
 
+define require_bucket_name
+	@if [ -z "$(strip $(BUCKET_NAME))" ]; then \
+		echo "BUCKET_NAME variable not set. Use 'make init ENVIRONMENT=... BUCKET_NAME=...'"; \
+		exit 1; \
+	fi
+endef
+
 .PHONY: lock-provider workspace init plan apply clean destroy output tf-%
 
 lock-provider:
@@ -17,17 +24,25 @@ workspace:
 	$(tf_cmd) workspace select -or-create $(ENVIRONMENT) && echo "Switched to workspace/environment: $(ENVIRONMENT)"
 
 init:
+	$(require_bucket_name)
 	$(tf_cmd) init $(tf_state) -upgrade $(tf_vars)
 
 init-reconfigure:
+	$(require_bucket_name)
 	$(tf_cmd) init $(tf_state) -upgrade $(tf_vars) -reconfigure
 
 plan: workspace
 	 $(tf_cmd) plan $(tf_vars)
 
+plan-ci: workspace
+	$(tf_cmd) plan $(tf_vars) -out=tfplan -input=false
+
 apply: workspace
 	$(tf_cmd) apply $(tf_vars) -auto-approve
 
+apply-ci: workspace
+	$(tf_cmd) apply -input=false tfplan
+
 clean:
 	rm -rf build .terraform upload-key
 

infrastructure/account/auto_ops_policy.json

@@ -214,6 +214,7 @@
         "iam:DeleteGroupPolicy",
         "iam:ListMFADeviceTags",
         "elasticache:*",
+        "shield:*",
         "iam:DeletePolicyVersion",
         "chatbot:*"
       ],

infrastructure/account/recordprocessor_ecr_repo.tf

@@ -14,7 +14,7 @@ resource "aws_ecr_lifecycle_policy" "recordprocessor_repository_lifecycle_policy
   "rules": [
     {
       "rulePriority": 1,
-      "description": "Keep last 10 images",
+      "description": "Keep last 10 images.",
       "selection": {
         "tagStatus": "any",
         "countType": "imageCountMoreThan",

utilities/scripts/resolve_account_terraform_state_bucket.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -euo pipefail
+
+read -r configured_bucket <<< "${CONFIGURED_ACCOUNT_TERRAFORM_STATE_BUCKET:-}"
+read -r state_bucket_environment <<< "${ACCOUNT_TERRAFORM_STATE_ENVIRONMENT:-}"
+
+[ -n "$configured_bucket" ] && printf '%s\n' "$configured_bucket" && exit 0
+
+[ -n "$state_bucket_environment" ] || {
+  echo "ACCOUNT_TERRAFORM_STATE_ENVIRONMENT must be set when ACCOUNT_TERRAFORM_STATE_BUCKET is not configured." >&2
+  exit 1
+}
+
+case "$state_bucket_environment" in
+  internal-dev|internal-qa|preprod|prod)
+    ;;
+  *)
+    echo "ACCOUNT_TERRAFORM_STATE_ENVIRONMENT must be one of: internal-dev, internal-qa, preprod, prod." >&2
+    exit 1
+    ;;
+esac
+
+printf 'immunisation-%s-terraform-state-files\n' "$state_bucket_environment"