Init CI workflow for Terraform Bootstrap

[JuicyASen]

Summary

This is the initialisation of CI workflow for terraform bootstrap. Current workflow only contain terraform setup and plan. We need further discussion about the deploy strategy(terraform apply).

Details

• A composite action .github/actions/setup_with_key/action.yml for terraform setup and init
  • Use Hashicorp official action setup-terraform
  • Use AWS offical action configure-aws-credentials
  • Since this is the bootstrap IaC, it takes care of all the roles and oidc resources, the AWS access key is used for authentication, we are still looking for better solutions.
  • Run terraform init with backend config injection
• A workflow .github/workflows/terraform-plan.yml for terraform plan and print result to PR
  • Use checkout to fetch latest code
  • Use the composite action setup_with_key mentioned above
  • Run terraform plan
  • Use community action terraform-plan-comment
  • This will read and format the plan output and comment it to the PR

Testing

I have tested the pipeline locally using act, with secrets managed in local files.

• Terraform init ✔
• AWS authentication ✔
• Terrafrom plan ✔
• Post plan to PR ❓
  • Cannot be tested locally

[JuicyASen]

Maybe I shouldn't test it with our org env, lol.

[github-actions[bot]]

📝 Terraform Plan

→ Resource Changes: 8 to create, 0 to update, 0 to re-create, 0 to delete.

✨ Create

module.oidc_provider.aws_iam_openid_connect_provider.github

```diff + arn = (known after apply) + client_id_list = [ + "sts.amazonaws.com", ] + id = (known after apply) + tags_all = (known after apply) + thumbprint_list = [ + "d89e3bd43d5d909b47a18977aa9d5ce36cee184c", ] + url = "https://token.actions.githubusercontent.com" ```

module.terraform_locks["access-control"].aws_dynamodb_table.terraform_locks

```diff + arn = (known after apply) + billing_mode = "PAY_PER_REQUEST" + hash_key = "LockID" + id = (known after apply) + name = "inff-access-control-tflock" + read_capacity = (known after apply) + stream_arn = (known after apply) + stream_label = (known after apply) + stream_view_type = (known after apply) + tags_all = (known after apply) + write_capacity = (known after apply) + attribute { + name = "LockID" + type = "S" } + point_in_time_recovery (known after apply) + server_side_encryption (known after apply) + ttl (known after apply) ```

module.terraform_roles["access-control"].aws_iam_role.remote_sts_role

```diff + arn = (known after apply) + assume_role_policy = (known after apply) + create_date = (known after apply) + force_detach_policies = false + id = (known after apply) + managed_policy_arns = (known after apply) + max_session_duration = 3600 + name = "oidc-inff-access-control" + name_prefix = (known after apply) + path = "/" + tags_all = (known after apply) + unique_id = (known after apply) + inline_policy (known after apply) ```

module.terraform_roles["access-control"].aws_iam_role_policy_attachments_exclusive.example

```diff + policy_arns = [ + "arn:aws:iam::aws:policy/IAMFullAccess", ] + role_name = "oidc-inff-access-control" ```

module.terraform_state["access-control"].aws_s3_bucket.terraform_state

```diff + acceleration_status = (known after apply) + acl = (known after apply) + arn = (known after apply) + bucket = "inff-access-control-tfstate" + bucket_domain_name = (known after apply) + bucket_prefix = (known after apply) + bucket_regional_domain_name = (known after apply) + force_destroy = false + hosted_zone_id = (known after apply) + id = (known after apply) + object_lock_enabled = (known after apply) + policy = (known after apply) + region = (known after apply) + request_payer = (known after apply) + tags_all = (known after apply) + website_domain = (known after apply) + website_endpoint = (known after apply) + cors_rule (known after apply) + grant (known after apply) + lifecycle_rule (known after apply) + logging (known after apply) + object_lock_configuration (known after apply) + replication_configuration (known after apply) + server_side_encryption_configuration (known after apply) + versioning (known after apply) + website (known after apply) ```

module.terraform_state["access-control"].aws_s3_bucket_public_access_block.terraform_state

```diff + block_public_acls = true + block_public_policy = true + bucket = (known after apply) + id = (known after apply) + ignore_public_acls = true + restrict_public_buckets = true ```

module.terraform_state["access-control"].aws_s3_bucket_server_side_encryption_configuration.terraform_state

```diff + bucket = (known after apply) + id = (known after apply) + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" # (1 unchanged attribute hidden) } } ```

module.terraform_state["access-control"].aws_s3_bucket_versioning.terraform_state

```diff + bucket = (known after apply) + id = (known after apply) + versioning_configuration { + mfa_delete = (known after apply) + status = "Enabled" } ```

---

Triggered by @JuicyASen, Commit: 86f4ccc9aae9615517da7af088094d160aa528c6