feat(on-approval): trigger on approval

jshiwamV · jshiwamV · commit 4069100a4cec · 2025-10-27T15:59:33.000+05:30
diff --git a/.github/setup/azure/main.tf b/.github/setup/azure/main.tf
@@ -101,7 +101,7 @@ data "azurerm_client_config" "current" {}
 #   principal_id         = azuread_service_principal.github_actions.object_id
 # }
 
-# Facing issues with the custom role definition, so using the built-in Contributor role instead. Figure it out later
+# Facing issues with the custom role definition, so using the built-in Contributor role instead. Because I cannot create custom role definitions.
 # For resource group creation/management (required by networking fixture)
 # Note: No specific "Resource Group Contributor" role exists - using generic Contributor
 # resource "azurerm_role_assignment" "github_actions_contributor" {
@@ -130,7 +130,7 @@ data "azurerm_client_config" "current" {}
 #   ]
 # }
 
-# # Assign the custom resource group role
+# # Assign the custom resource group role not able to perform this getting authz error
 # resource "azurerm_role_assignment" "github_actions_resource_group_manager" {
 #   scope              = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
 #   role_definition_id = azurerm_role_definition.resource_group_manager.role_definition_resource_id
@@ -142,3 +142,40 @@ resource "azurerm_role_assignment" "github_actions_contributor" {
   role_definition_name = "Contributor"
   principal_id         = azuread_service_principal.github_actions.object_id
 }
+
+# RBAC Administrator role for AKS role assignments
+# AKS modules need to assign network roles to managed identities and subnets
+# Commented out due to ABAC restrictions - use more specific roles instead
+# Maybe make it more restrictive to only assing
+# ---> Network Contributor and Storage Blob Data Contributor since we only assign those in az modules
+resource "azurerm_role_assignment" "github_actions_rbac_admin" {
+  scope                = "/subscriptions/${data.azurerm_client_config.current.subscription_id}"
+  role_definition_name = "Role Based Access Control Administrator"  
+  principal_id         = azuread_service_principal.github_actions.object_id
+  
+  # ABAC condition to block assignment of high-privilege roles
+  # Allows assignment of any role EXCEPT: Owner, User Access Administrator, RBAC Administrator
+  # Role GUIDs: 8e3af657... (Owner), 18d7d88d... (User Access Admin), f58310d9... (RBAC Admin)
+  condition = <<-EOT
+    (
+      (!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) 
+      OR 
+      (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {
+        8e3af657-a8ff-443c-a75c-2fe8c4bcb635, 
+        18d7d88d-d35e-4fb5-a5c3-7773c20a72d9, 
+        f58310d9-a9f6-439a-9e8d-f62e7b41a168
+      })
+    ) 
+    AND 
+    (
+      (!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) 
+      OR 
+      (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAllValues:GuidNotEquals {
+        8e3af657-a8ff-443c-a75c-2fe8c4bcb635, 
+        18d7d88d-d35e-4fb5-a5c3-7773c20a72d9, 
+        f58310d9-a9f6-439a-9e8d-f62e7b41a168
+      })
+    )
+  EOT
+  condition_version    = "2.0"
+}
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -0,0 +1,53 @@
+# Infrastructure Testing Workflows
+
+## 🛡️ **Approval-Gated Testing**
+
+Infrastructure tests **require PR approval** to prevent accidental resource provisioning and manage costs.
+
+### **How It Works**
+1. **Create PR** → No tests run initially
+2. **Get approval** → Tests run automatically  
+3. **Push changes** → Tests re-run automatically (if PR approved)
+4. **Manual trigger** → Use `gh workflow run test-<cloud>.yml` if needed
+
+
+### **What Gets Tested**
+
+| Path Changes | Tests Triggered |
+|-------------|----------------|
+| `*/modules/**/*.tf`, `kubernetes/modules/**/*.{tf,yaml,yml}` | ✅ Relevant cloud tests |
+| `test/aws/**/*.{go,tf}`, `test/gcp/**/*.{go,tf}`, `test/azure/**/*.{go,tf}` | ✅ Relevant cloud tests |
+| `test/utils/**`, `test/shared/**`, `test/*.go` | ✅ **All cloud tests** |
+| `*/examples/**`, `README.md`, `.env`, docs | ❌ No tests |
+
+### **Features**
+- ✅ **Granular path filtering** - Only tests infrastructure changes (excludes docs/README)
+- ✅ **Smart cloud detection** - Tests only affected clouds, or all clouds for shared changes
+- ✅ **Race condition prevention** - One workflow per PR
+- ✅ **Parallel cloud testing** - AWS/GCP/Azure run simultaneously  
+- ✅ **Auto-retest** - New pushes trigger tests if PR approved
+
+## **Setup Requirements**
+
+**Repository Secrets:**
+```
+MATERIALIZE_LICENSE_KEY
+AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID  
+GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT_EMAIL
+```
+
+**Repository Variables:**
+```
+GA_AWS_IAM_ROLE
+TF_TEST_S3_BUCKET, TF_TEST_S3_REGION, TF_TEST_S3_PREFIX
+GOOGLE_PROJECT, AWS_REGION
+```
+
+## **Manual Override**
+
+```bash
+# Run tests without approval (requires repo access)
+gh workflow run test-aws.yml --ref your-branch
+gh workflow run test-gcp.yml --ref your-branch  
+gh workflow run test-azure.yml --ref your-branch
+```
diff --git a/.github/workflows/test-aws.yml b/.github/workflows/test-aws.yml
@@ -1,7 +1,9 @@
 name: AWS Tests
 
 on:
-  # Manual trigger for testing
+  # Only run via approval workflow or manual trigger
+  # Removed pull_request trigger to prevent duplicate runs
+  workflow_call: # Called by test-on-approval.yml
   workflow_dispatch:
     inputs:
       test_stage:
@@ -25,6 +27,7 @@ jobs:
   test-aws:
     name: AWS Infrastructure Tests
     runs-on: ubuntu-latest
+    # Note: Approval-gated tests now handled by test-on-approval.yml workflow
 
     steps:
       - name: Checkout code
diff --git a/.github/workflows/test-azure.yml b/.github/workflows/test-azure.yml
@@ -1,9 +1,9 @@
 name: Azure Tests
 
 on:
-  pull_request:
-    branches: [main]
-  # Manual trigger for testing
+  # Only run via approval workflow or manual trigger
+  # Removed pull_request trigger to prevent duplicate runs
+  workflow_call: # Called by test-on-approval.yml
   workflow_dispatch:
     inputs:
       test_stage:
@@ -27,6 +27,7 @@ jobs:
   test-azure:
     name: Azure Infrastructure Tests
     runs-on: ubuntu-latest
+    # Note: Approval-gated tests now handled by test-on-approval.yml workflow
 
     steps:
       - name: Checkout code
diff --git a/.github/workflows/test-gcp.yml b/.github/workflows/test-gcp.yml
@@ -1,7 +1,9 @@
 name: GCP Tests
 
 on:
-  # Manual trigger for testing
+  # Only run via approval workflow or manual trigger
+  # Removed pull_request trigger to prevent duplicate runs
+  workflow_call: # Called by test-on-approval.yml
   workflow_dispatch:
     inputs:
       test_stage:
@@ -25,6 +27,7 @@ jobs:
   test-gcp:
     name: GCP Infrastructure Tests
     runs-on: ubuntu-latest
+    # Note: Approval-gated tests now handled by test-on-approval.yml workflow
 
     steps:
       - name: Checkout code
diff --git a/.github/workflows/test-on-approval.yml b/.github/workflows/test-on-approval.yml
