VIA-598 Use version branch to deploy IAM permissions

donna-belsey-nhs · donna-belsey-nhs · commit e95f821aba05 · 2025-11-20T14:38:52.000Z
The adaptation to allow IAM permissions from main to be used is no
longer required now that the permissions have been applied to the R1
branch
diff --git a/.github/actions/deploy/action.yml b/.github/actions/deploy/action.yml
@@ -21,19 +21,11 @@ inputs:
 runs:
   using: composite
   steps:
-    #################################################
-    # Setup GitHub IAM user permissions in AWS first
-    #################################################
-
-    # Rationale:
-    #  - why? given we reuse preprod for R1.0 and R2.0, when IAM permission change across releases, then deployment fails
-    #  - constraint? make sure R2.0 IAM permissions are a superset of R1.0 IAM permissions
-    #  - what? deploy IAM from R2.0 as it is a superset and then R1.0 deployments will succeed as well
-    - name: "Checkout main branch"
+    - name: "Checkout target code"
       uses: actions/checkout@v5
       with:
-        ref: 'main'
-        path: "code-for-iam"
+        ref: ${{ inputs.tag_or_sha_to_deploy }}
+        path: "code-for-app"
 
     - name: "Configure AWS credentials"
       uses: aws-actions/configure-aws-credentials@v5
@@ -42,50 +34,26 @@ runs:
         role-to-assume: ${{ inputs.secret_aws_iam_role }}
         aws-region: eu-west-2
 
+    #################################################
+    # Set up Terraform
+    #################################################
+
     - name: "Identify Terraform version"
       shell: bash
-      working-directory: "./code-for-iam"
-      id: identify-terraform-version-main
+      id: identify-terraform-version
+      working-directory: "./code-for-app"
       run: |
         echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
 
     - name: "Install Terraform version"
       uses: hashicorp/setup-terraform@v3
       with:
-        terraform_version: "${{ steps.identify-terraform-version-main.outputs.terraform_version }}"
-
-    - name: "Set terraform environment vars"
-      shell: bash
-      run: |
-        echo "TF_VAR_is_github_action=true" >> $GITHUB_ENV
-        echo "TF_VAR_alarms_slack_channel_id=${{ inputs.secret_aws_slack_channel_id }}" >> $GITHUB_ENV
-        echo "TF_VAR_app_version=${{ inputs.tag_or_sha_to_deploy }}" >> $GITHUB_ENV
-
-    - name: "Terraform init (iam)"
-      shell: bash
-      working-directory: "./code-for-iam"
-      run: TF_ENV=${{ inputs.environment }}/iam make terraform-init
-
-    - name: "Terraform plan (iam)"
-      shell: bash
-      working-directory: "./code-for-iam"
-      run: TF_ENV=${{ inputs.environment }}/iam make terraform-plan opts="-out=terraform-iam.tfplan"
-
-    - name: "Terraform apply (iam)"
-      shell: bash
-      working-directory: "./code-for-iam"
-      run: TF_ENV=${{ inputs.environment }}/iam make terraform-apply opts="-auto-approve" opts="terraform-iam.tfplan"
+        terraform_version: "${{ steps.identify-terraform-version.outputs.terraform_version }}"
 
     #################################################
     # Download the required artefacts from AWS
     #################################################
 
-    - name: "Checkout target code"
-      uses: actions/checkout@v5
-      with:
-        ref: ${{ inputs.tag_or_sha_to_deploy }}
-        path: "code-for-app"
-
     - name: "Download artefacts from S3 bucket"
       shell: bash
       working-directory: "./code-for-app"
@@ -109,21 +77,35 @@ runs:
         unzip open-next.zip
         rm -rf open-next.zip
 
+    - name: "Set terraform environment vars"
+      shell: bash
+      run: |
+        echo "TF_VAR_is_github_action=true" >> $GITHUB_ENV
+        echo "TF_VAR_alarms_slack_channel_id=${{ inputs.secret_aws_slack_channel_id }}" >> $GITHUB_ENV
+        echo "TF_VAR_app_version=${{ inputs.tag_or_sha_to_deploy }}" >> $GITHUB_ENV
+
     #################################################
-    # Deploy the artefacts to AWS
+    # Deploy IAM permissions to AWS
     #################################################
 
-    - name: "Identify Terraform version"
+    - name: "Terraform init (iam)"
       shell: bash
-      id: identify-terraform-version-tag
       working-directory: "./code-for-app"
-      run: |
-        echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+      run: TF_ENV=${{ inputs.environment }}/iam make terraform-init
 
-    - name: "Install Terraform version"
-      uses: hashicorp/setup-terraform@v3
-      with:
-        terraform_version: "${{ steps.identify-terraform-version-tag.outputs.terraform_version }}"
+    - name: "Terraform plan (iam)"
+      shell: bash
+      working-directory: "./code-for-app"
+      run: TF_ENV=${{ inputs.environment }}/iam make terraform-plan opts="-out=terraform-iam.tfplan"
+
+    - name: "Terraform apply (iam)"
+      shell: bash
+      working-directory: "./code-for-app"
+      run: TF_ENV=${{ inputs.environment }}/iam make terraform-apply opts="-auto-approve" opts="terraform-iam.tfplan"
+
+    #################################################
+    # Deploy the artefacts to AWS
+    #################################################
 
     - name: "Terraform init (app)"
       shell: bash
