Overview
To reduce risk and not allow terraform plan operations to make changes, we should separate the plan and apply roles that incubator assumes for various operations
Action Items
- in the
devops-security repo, create the role incubator-tf-plan, with the ReadOnlyAccess policy applied. The trust policy, should remain the same as the existing gha-incubator role
- in the
role-to-assume in `/.github/workflows/terraform-plan.yaml', change the role to the newly created role in the previous step
- in the
devops-security repo, create the role incubator-tf-apply, with the AdminstatorAccess policy applied. The trust policy should only include "repo:hackforla/incubator:ref:refs/heads/main",
- in the
role-to-assume in `/.github/workflows/terraform-apply.yaml', change the role to the newly created role in the previous step
Overview
To reduce risk and not allow terraform plan operations to make changes, we should separate the plan and apply roles that incubator assumes for various operations
Action Items
devops-securityrepo, create the roleincubator-tf-plan, with theReadOnlyAccesspolicy applied. The trust policy, should remain the same as the existinggha-incubatorrolerole-to-assumein `/.github/workflows/terraform-plan.yaml', change the role to the newly created role in the previous stepdevops-securityrepo, create the roleincubator-tf-apply, with theAdminstatorAccesspolicy applied. The trust policy should only include"repo:hackforla/incubator:ref:refs/heads/main",role-to-assumein `/.github/workflows/terraform-apply.yaml', change the role to the newly created role in the previous step