From 928b629c781316dc1ac014373245b41acd2ac40e Mon Sep 17 00:00:00 2001
From: David Sibley <david.sibley@digital.justice.gov.uk>
Date: Mon, 11 Dec 2023 15:21:03 +0000
Subject: [PATCH] added role assumption to test job

---
 .../reusable_terraform_plan_apply_test.yml    | 48 +++++++++++++++----
 1 file changed, 39 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/reusable_terraform_plan_apply_test.yml b/.github/workflows/reusable_terraform_plan_apply_test.yml
index 9861c7ddf7f..9f895cff68b 100644
--- a/.github/workflows/reusable_terraform_plan_apply_test.yml
+++ b/.github/workflows/reusable_terraform_plan_apply_test.yml
@@ -42,11 +42,6 @@ on:
         required: false
         description: "The terraform version to use"
         default: "~1.5"
-      init_plan_apply_tfargs:
-        type: string
-        required: false
-        description: "Any terraform arguments to be passed into terrafrom init, plan and apply, e.g. --lock-timeout=300s"
-        default: "-input=false -lock-timeout=300s"
       plan_apply_tfargs:
         type: string
         required: false
@@ -97,6 +92,12 @@ jobs:
         run: |
           ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)
           echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV
+
+      - name: Get Backend AWS Account Number
+        run: |
+          BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)
+          echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
@@ -114,12 +115,14 @@ jobs:
         working-directory: "terraform/environments/${{ inputs.application }}"
         run: |
           terraform --version
-          echo "terraform init ${{ inputs.init_plan_apply_tfargs }}"
-          terraform init ${{ inputs.init_plan_apply_tfargs }}
+          echo "terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"}"
+          terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"}
+
       - name: Terraform Workspace Select
         working-directory: "terraform/environments/${{ inputs.application }}"
         run: |
           terraform workspace select "${WORKSPACE_NAME}"
+
       - name: Terraform State Refresh (Optional)
         if: inputs.do_state_refresh_on_plan == true
         working-directory: "terraform/environments/${{ inputs.application }}"
@@ -128,6 +131,7 @@ jobs:
           tf_args="${{ inputs.init_plan_apply_tfargs }} ${{ inputs.plan_apply_tfargs }}"
           echo "terraform apply -refresh-only -auto-approve ${tf_args}"
           terraform apply -refresh-only -auto-approve ${tf_args} | bash ${GITHUB_WORKSPACE}/scripts/redact-output.sh
+
       - name: Terraform Plan
         id: plan
         env:
@@ -144,6 +148,7 @@ jobs:
           echo "exitcode=${exitcode}"  # 0=clean plan, 1=error, 2=stuff in plan
           echo "exitcode=${exitcode}" >> $GITHUB_OUTPUT
           (( exitcode == 1 )) && exit 1 || exit 0
+
       - name: Create Plan PR message (Optional)
         if: github.event_name == 'pull_request' && steps.plan.outputs.exitcode == '2' && inputs.post_plan_to_pr == true
         working-directory: "terraform/environments/${{ inputs.application }}"
@@ -164,6 +169,7 @@ jobs:
           echo 'TF_PLAN_OUT<<EOF' >> $GITHUB_ENV
           comment >> $GITHUB_ENV
           echo 'EOF' >> $GITHUB_ENV
+
       - name: Hide Previous PR comment (Optional)
         if: ${{ github.event_name == 'pull_request' }}
         working-directory: "scripts/minimise-comments"
@@ -173,6 +179,7 @@ jobs:
         run: |
           go build
           ./minimise-comments
+
       - name: Post Plan to PR (Optional)
         if: github.event_name == 'pull_request' && steps.plan.outputs.exitcode == '2' && inputs.post_plan_to_pr == true
         env:
@@ -184,6 +191,7 @@ jobs:
             -H "Authorization: Bearer ${{ env.GITHUB_TOKEN }}" \
             "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
             -d '{"body":'"${escaped_message}"'}'
+
   terratest:
     name: "terratest"
     needs: plan
@@ -197,6 +205,12 @@ jobs:
         run: |
           ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)
           echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV
+
+      - name: Get Backend AWS Account Number
+        run: |
+          BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)
+          echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
@@ -223,6 +237,12 @@ jobs:
         run: |
           ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)
           echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV
+
+      - name: Get Backend AWS Account Number
+        run: |
+          BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)
+          echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
@@ -240,12 +260,14 @@ jobs:
         working-directory: "terraform/environments/${{ inputs.application }}"
         run: |
           terraform --version
-          echo "terraform init ${{ inputs.init_plan_apply_tfargs }}"
-          terraform init ${{ inputs.init_plan_apply_tfargs }}
+          echo "terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"}"
+          terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::${{env.BACKEND_NUMBER}}:role/modernisation-account-terraform-state-member-access\"}
+
       - name: Terraform Workspace Select
         working-directory: "terraform/environments/${{ inputs.application }}"
         run: |
           terraform workspace select "${WORKSPACE_NAME}"
+
       - name: Terraform Plan
         working-directory: "terraform/environments/${{ inputs.application }}"
         run: |
@@ -253,6 +275,7 @@ jobs:
           tf_args="-out x.tfplan ${{ inputs.init_plan_apply_tfargs }} ${{ inputs.plan_apply_tfargs }}"
           echo "terraform plan ${tf_args}"
           terraform plan ${tf_args} | bash ${GITHUB_WORKSPACE}/scripts/redact-output.sh
+
       - name: Terraform Apply
         working-directory: "terraform/environments/${{ inputs.application }}"
         run: |
@@ -260,6 +283,7 @@ jobs:
           tf_args="${{ inputs.init_plan_apply_tfargs }} ${{ inputs.plan_apply_tfargs }} x.tfplan"
           echo "terraform apply ${tf_args}"
           terraform apply ${tf_args} | bash ${GITHUB_WORKSPACE}/scripts/redact-output.sh
+
   smoketest:
     name: "smoketest"
     needs: apply
@@ -273,6 +297,12 @@ jobs:
         run: |
           ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)
           echo "ACCOUNT_NUMBER=${ACCOUNT_NUMBER}" >> $GITHUB_ENV
+
+      - name: Get Backend AWS Account Number
+        run: |
+          BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)
+          echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with: