[PRMP-739] Implement recommended delete lifecycle policies for S3

.github/workflows/deploy-sandbox.yml

@@ -39,74 +39,106 @@ jobs:
         env:
           SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }}
 
-
-  terraform_plan_apply_base_iam:
-    name: Terraform Plan/Apply (base_iam)
-    runs-on: ubuntu-latest
-    needs: validate_inputs
-    environment: development
-    steps:
-      - name: Checkout branch
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ github.event.inputs.git_ref}}
-
-      - name: Apply base_iam
-        uses: ./.github/actions/tf-plan-apply
-        with:
-          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/dev-github-bootstrap
-          bucket_prefix: "dev"
-          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
-          aws_region: ${{ vars.AWS_REGION }}
-          working_directory: "./base_iam"  # Use separate base_iam directory
-          workspace: ${{ github.event.inputs.sandbox_name }}
-          tf_vars_file: ${{ vars.TF_VARS_FILE }}
-          tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}"
-
-
   terraform_plan_apply_main:
     name: Terraform Plan/Apply (main)
     if: ${{ !inputs.skip_main_deployment }}
     runs-on: ubuntu-latest
-    needs: terraform_plan_apply_base_iam
+    needs: validate_inputs
     environment: development
     steps:
       - name: Checkout main
         uses: actions/checkout@v6
         with:
           ref: main
 
-      - name: Apply Main
-        uses: ./.github/actions/tf-plan-apply
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+          mask-aws-account-id: true
+
+      # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
         with:
-          # use newly created role
-          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role
-          bucket_prefix: "dev"
-          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
-          aws_region: ${{ vars.AWS_REGION }}
-          workspace: ${{ github.event.inputs.sandbox_name }}
-          tf_vars_file: ${{ vars.TF_VARS_FILE }}
+          terraform_version: 1.14.3
+          terraform_wrapper: false
 
+      - name: Initialise Terraform
+        id: main_init
+        run: terraform init -backend-config=backend.conf
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Select Terraform Workspace
+        id: main_workspace
+        run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}}
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Run Terraform Plan
+        id: main_plan
+        run: |
+          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-main.plan
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Run Terraform Apply
+        run: terraform apply -auto-approve -input=false tf-main.plan
+        working-directory: ./infrastructure
 
   terraform_plan_apply_branch:
     name: Terraform Plan/Apply (branch)
-    if: ${{ always() && github.event.inputs.git_ref != 'main' && needs.validate_inputs.result == 'success' && needs.terraform_plan_apply_base_iam.result == 'success' && (needs.terraform_plan_apply_main.result == 'success' || needs.terraform_plan_apply_main.result == 'skipped') }}
+    if: ${{ always() && github.event.inputs.git_ref != 'main' && needs.validate_inputs.result == 'success' && (needs.terraform_plan_apply_main.result == 'success' || needs.terraform_plan_apply_main.result == 'skipped') }}
     runs-on: ubuntu-latest
-    needs: [validate_inputs, terraform_plan_apply_base_iam, terraform_plan_apply_main]
+    needs: [validate_inputs, terraform_plan_apply_main]
     environment: development
     steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+          mask-aws-account-id: true
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.14.3
+          terraform_wrapper: false
+
       - name: Checkout Branch
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.inputs.git_ref}}
 
-      - name: Apply Branch
-        uses: ./.github/actions/tf-plan-apply
-        with:
-          # use newly created role
-          aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ github.event.inputs.sandbox_name}}-github-actions-role
-          bucket_prefix: "dev"
-          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
-          aws_region: ${{ vars.AWS_REGION }}
-          workspace: ${{ github.event.inputs.sandbox_name }}
-          tf_vars_file: ${{ vars.TF_VARS_FILE }}
+        # Checks that all Terraform configuration files adhere to a canonical format.
+      - name: Check Terraform Formatting
+        run: terraform fmt -check
+        working-directory: ./infrastructure
+
+      - name: Initialise Terraform
+        id: init
+        run: terraform init -backend-config=backend.conf
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Select Terraform Workspace
+        id: workspace
+        run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}}
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Run Terraform Plan
+        id: plan
+        run: |
+          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
+        working-directory: ./infrastructure
+        shell: bash
+
+      - name: Run Terraform Apply (branch over main)
+        run: terraform apply -auto-approve -input=false tf.plan
+        working-directory: ./infrastructure

.github/workflows/tear-down-sandbox.yml

@@ -77,6 +77,16 @@ jobs:
         with:
           ref: ${{ inputs.git_ref }}
 
+      - name: Setup Python 3.11
+        uses: actions/setup-python@v6
+        with:
+          python-version: 3.11
+
+      - name: Install Python Dependencies
+        run: |
+          python3 -m venv ./venv
+          ./venv/bin/pip3 install --upgrade pip boto3
+
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v5
         with:
@@ -101,71 +111,6 @@ jobs:
         run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}"
         working-directory: ./infrastructure
 
-  terraform_destroy_base_iam:
-    name: Terraform Destroy (base_iam)
-    # Only destroy base_iam in a Sandbox environment. Don't tear down in ndr-test or ndr-dev environments.
-    if: ${{ github.event.inputs.environment == 'development' && github.event.inputs.sandbox_name != 'ndr-dev' }}
-    runs-on: ubuntu-latest
-    needs: [terraform_destroy]
-    environment: ${{ inputs.environment }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.git_ref }}
-
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/dev-github-bootstrap
-          aws-region: ${{ vars.AWS_REGION }}
-          mask-aws-account-id: true
-
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
-        with:
-          terraform_version: 1.14.3
-
-      - name: Initialise Terraform
-        run: terraform init -backend-config=bucket=ndr-dev-terraform-state-${{ secrets.AWS_ACCOUNT_ID }}
-        working-directory: ./base_iam
-
-      - name: Select Terraform Workspace
-        run: terraform workspace select ${{ inputs.sandbox_name }}
-        working-directory: ./base_iam
-
-      - name: Run Terraform Destroy
-        run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" -var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}
-        working-directory: ./base_iam
-
-  cleanup_resources:
-    name: Cleanup Resources
-    runs-on: ubuntu-latest
-    needs: [terraform_destroy_base_iam]
-    environment: ${{ inputs.environment }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-        with:
-          ref: ${{ inputs.git_ref }}
-
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v5
-        with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/dev-github-bootstrap
-          aws-region: ${{ vars.AWS_REGION }}
-          mask-aws-account-id: true
-
-      - name: Setup Python 3.11
-        uses: actions/setup-python@v6
-        with:
-          python-version: 3.11
-
-      - name: Install Python Dependencies
-        run: |
-          python3 -m venv ./venv
-          ./venv/bin/pip3 install --upgrade pip boto3
-
       - name: Run Cleanup Script (Terraform Workspace)
         run: ./venv/bin/python3 -u scripts/cleanup_terraform_states.py ${{ inputs.sandbox_name }}