Enhance deployment workflow with Terraform planning step

Thomas-Boyle · Thomas-Boyle · commit a96ae2d249ce · 2026-03-10T19:32:41.000Z
- Introduced a new `terraform-plan` job in the deployment workflow to manage infrastructure changes before applying them.
- Added steps for AWS connection, Terraform initialization, and planning, ensuring a structured approach to infrastructure management.
- Updated the `build-and-push-recordprocessor` job to depend on the `terraform-apply` job, streamlining the deployment process.
- Removed redundant image tag output handling, simplifying the workflow logic.
diff --git a/.github/workflows/deploy-backend.yml b/.github/workflows/deploy-backend.yml
@@ -51,14 +51,54 @@ env: # Sonarcloud - do not allow direct usage of untrusted data
 run-name: Deploy Backend - ${{ inputs.environment }} ${{ inputs.sub_environment }}
 
 jobs:
+  terraform-plan:
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    env:
+      TF_VAR_recordprocessor_image_tag: ${{ github.sha }}
+    environment:
+      name: ${{ inputs.environment }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
+
+      - name: Connect to AWS
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
+          role-session-name: github-actions
+
+      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
+        with:
+          terraform_version: "1.12.2"
+
+      - name: Terraform Init
+        working-directory: infrastructure/instance
+        run: make init
+
+      - name: Terraform Plan
+        # Ignore cancellations to prevent Terraform from being killed while it holds a state lock
+        # A stuck process can still be killed with the force-cancel API operation
+        if: ${{ !failure() }}
+        working-directory: infrastructure/instance
+        run: make plan-ci
+
+      - name: Save Terraform Plan
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
+        with:
+          name: ${{ env.ENVIRONMENT }}-${{ env.SUB_ENVIRONMENT }}-tfplan
+          path: infrastructure/instance/tfplan
+
   build-and-push-recordprocessor:
     permissions:
       id-token: write
       contents: read
     name: Build and push recordprocessor image
+    needs: terraform-apply
     runs-on: ubuntu-latest
-    outputs:
-      image_tag: ${{ steps.build-and-push.outputs.image_tag }}
 
     environment:
       name: ${{ inputs.environment }}
@@ -83,20 +123,12 @@ jobs:
         uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076
 
       - name: Build and push Docker image
-        id: build-and-push
         env:
           ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          SUB_ENVIRONMENT: ${{ env.SUB_ENVIRONMENT }}
         working-directory: lambdas
         run: |
           IMAGE_TAG="${GITHUB_SHA}"
           REPOSITORY_NAME="imms-${SUB_ENVIRONMENT}-processing-repo"
-
-          if ! aws ecr describe-repositories --repository-names "${REPOSITORY_NAME}" --region "${AWS_REGION}" >/dev/null 2>&1; then
-            echo "ECR repository ${REPOSITORY_NAME} does not exist; creating now..."
-            aws ecr create-repository --repository-name "${REPOSITORY_NAME}" --region "${AWS_REGION}"
-          fi
-
           IMAGE_URI="${ECR_REGISTRY}/${REPOSITORY_NAME}:${IMAGE_TAG}"
 
           if aws ecr describe-images --repository-name "${REPOSITORY_NAME}" --image-ids imageTag="${IMAGE_TAG}" --region "${AWS_REGION}" >/dev/null 2>&1; then
@@ -106,60 +138,14 @@ jobs:
             docker push "${IMAGE_URI}"
           fi
 
-          echo "image_tag=${IMAGE_TAG}" >> "$GITHUB_OUTPUT"
-
-  terraform-plan:
-    permissions:
-      id-token: write
-      contents: read
-    needs: build-and-push-recordprocessor
-    runs-on: ubuntu-latest
-    env:
-      TF_VAR_recordprocessor_image_tag: ${{ needs.build-and-push-recordprocessor.outputs.image_tag }}
-    environment:
-      name: ${{ inputs.environment }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
-
-      - name: Connect to AWS
-        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
-        with:
-          aws-region: eu-west-2
-          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
-          role-session-name: github-actions
-
-      - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85
-        with:
-          terraform_version: "1.12.2"
-
-      - name: Terraform Init
-        working-directory: infrastructure/instance
-        run: make init
-
-      - name: Terraform Plan
-        # Ignore cancellations to prevent Terraform from being killed while it holds a state lock
-        # A stuck process can still be killed with the force-cancel API operation
-        if: ${{ !failure() }}
-        working-directory: infrastructure/instance
-        run: make plan-ci
-
-      - name: Save Terraform Plan
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
-        with:
-          name: ${{ env.ENVIRONMENT }}-${{ env.SUB_ENVIRONMENT }}-tfplan
-          path: infrastructure/instance/tfplan
-
   terraform-apply:
     permissions:
       id-token: write
       contents: read
-    needs:
-      - terraform-plan
-      - build-and-push-recordprocessor
+    needs: terraform-plan
     runs-on: ubuntu-latest
     env:
-      TF_VAR_recordprocessor_image_tag: ${{ needs.build-and-push-recordprocessor.outputs.image_tag }}
+      TF_VAR_recordprocessor_image_tag: ${{ github.sha }}
     environment:
       name: ${{ inputs.environment }}
     steps:
