VIA-373 AJ/AS Update GitHub workflow for all environments to deploy IAM before app

Author: ankur-jain-nhs

.github/workflows/stage-4-deploy.yaml

@@ -81,15 +81,15 @@ jobs:
         run: echo "TF_VAR_alarms_slack_channel_id=${{ secrets.ALARMS_SLACK_CHANNEL_ID }}" >> $GITHUB_ENV
       - name: "Set the app version being deployed"
         run: echo "TF_VAR_app_version=${{ steps.tag-or-sha.outputs.value }}" >> $GITHUB_ENV
-      - name: "Terraform init (shared)"
-        id: init-shared
-        run: TF_ENV=shared make terraform-init
-      - name: "Terraform plan (shared)"
-        id: plan-shared
-        run: TF_ENV=shared make terraform-plan opts="-out=terraform-shared.tfplan"
-      - name: "Terraform apply (shared)"
-        id: apply-shared
-        run: TF_ENV=shared make terraform-apply opts="-auto-approve" opts="terraform-shared.tfplan"
+      - name: "Terraform init (iam)"
+        id: init-iam
+        run: TF_ENV=${{ inputs.environment }}/iam make terraform-init
+      - name: "Terraform plan (iam)"
+        id: plan-iam
+        run: TF_ENV=${{ inputs.environment }}/iam make terraform-plan opts="-out=terraform-iam.tfplan"
+      - name: "Terraform apply (iam)"
+        id: apply-iam
+        run: TF_ENV=${{ inputs.environment }}/iam make terraform-apply opts="-auto-approve" opts="terraform-iam.tfplan"
       - name: "Terraform init (app)"
         id: init-app
         run: TF_ENV=${{ inputs.environment }} make terraform-init

…/environments/shared/.terraform.lock.hcl …environments/dev/iam/.terraform.lock.hclinfrastructure/environments/shared/.terraform.lock.hcl renamed to infrastructure/environments/dev/iam/.terraform.lock.hcl infrastructure/environments/shared/.terraform.lock.hcl renamed to infrastructure/environments/dev/iam/.terraform.lock.hcl

@@ -1,5 +1,5 @@
 module "deploy_iam" {
-  source = "../../modules/deploy_iam"
+  source = "../../../modules/deploy_iam"
 
   account_id        = data.aws_caller_identity.current.account_id
   prefix            = local.prefix

…frastructure/environments/shared/data.tf …rastructure/environments/dev/iam/data.tfinfrastructure/environments/shared/data.tf renamed to infrastructure/environments/dev/iam/data.tf infrastructure/environments/shared/data.tf renamed to infrastructure/environments/dev/iam/data.tf

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

…astructure/environments/shared/locals.tf …structure/environments/dev/iam/locals.tfinfrastructure/environments/shared/locals.tf renamed to infrastructure/environments/dev/iam/locals.tf infrastructure/environments/shared/locals.tf renamed to infrastructure/environments/dev/iam/locals.tf

@@ -0,0 +1,29 @@
+locals {
+  region = "eu-west-2"
+
+  project_identifier           = "vaccinations-app"
+  project_identifier_shortcode = "vita"
+
+  environment      = "preprod"
+  deploy_workspace = var.is_github_action ? "gh" : terraform.workspace
+  prefix           = "${local.deploy_workspace}-${local.project_identifier_shortcode}-${data.aws_caller_identity.current.account_id}"
+
+  default_tags = {
+    ManagedBy   = "Terraform"
+    Project     = local.project_identifier
+    Environment = local.environment
+  }
+}
+
+resource "null_resource" "check_workspace" {
+  lifecycle {
+    precondition {
+      condition     = var.is_github_action || terraform.workspace != "default"
+      error_message = <<EOT
+  ❌ Default workspace is not allowed locally. It is reserved for GitHub actions.
+  ✅ Please switch to a named workspace like this (replace <name> with your workspace):
+  ( cd infrastructure/environments/dev; terraform workspace select <name>; terraform workspace list )
+  EOT
+    }
+  }
+}