From c5d9922be2c8a4a9a3f476c7e4d2fd04967d546e Mon Sep 17 00:00:00 2001
From: Daniel Brooks <bass_rock@me.com>
Date: Thu, 15 Aug 2024 11:57:31 -0700
Subject: [PATCH] chore(ci): testing aws

---
 .github/actions/cdktf/action.yml         | 23 ++++++++++++++-
 .github/actions/raw-terraform/action.yml | 21 ++++++++++++++
 .github/workflows/infrastructure.yml     | 37 ++++++++++++++++++++----
 .github/workflows/list-api.yml           |  2 +-
 4 files changed, 76 insertions(+), 7 deletions(-)

diff --git a/.github/actions/cdktf/action.yml b/.github/actions/cdktf/action.yml
index d5332e12d..ba35e154c 100644
--- a/.github/actions/cdktf/action.yml
+++ b/.github/actions/cdktf/action.yml
@@ -14,7 +14,16 @@ inputs:
   behavior:
     description: The behavior that Terraform should use, either plan or apply
     required: true
-  
+  pagerduty-token:
+    description: Pagerduty Token to use in terraform
+    required: true
+  terraform-token:
+    description: Terraform Token to use in terraform
+    required: true
+  github-token:
+    description: Github Token to use for terraform comment
+    required: true 
+
 runs:
   using: 'composite'
   steps:
@@ -59,12 +68,24 @@ runs:
           tfenv install
           tfenv use
           terraform init
+    - name: Save off terraform token
+      shell: bash
+      env:
+        TERRAFORM_TOKEN: ${{ input.terraform-token }}
+      run: |
+        rc="credentials \"app.terraform.io\" { "
+        rc="${rc} token=\"$TERRAFORM_TOKEN\" "
+        rc="${rc}}"
+        echo "$rc" > ~/.terraformrc
 
     # Once TFCMT supports no change applies, change terraform apply to
     # tfcmt --var target:${{ inputs.scope }}-${{ inputs.environment }} apply -- terraform apply -auto-approve -lock-timeout=10m
     # https://github.com/suzuki-shunsuke/tfcmt/issues/1184
     - name: Plan/Apply CDKTF
       shell: bash
+      env:
+        TERRAFORM_TOKEN: ${{ input.pagerduty-token }}
+        GITHUB_TOKEN: ${{ input.github-token }}
       run: |
         cd ${{ inputs.stack-output-path }}
         if [ "${{ inputs.behavior }}" = "apply" ]; then
diff --git a/.github/actions/raw-terraform/action.yml b/.github/actions/raw-terraform/action.yml
index f8002306f..e9aaa4f76 100644
--- a/.github/actions/raw-terraform/action.yml
+++ b/.github/actions/raw-terraform/action.yml
@@ -14,6 +14,15 @@ inputs:
   behavior:
     description: The behavior that Terraform should use, either plan or apply
     required: true
+  pagerduty-token:
+    description: Pagerduty Token to use in terraform
+    required: true
+  terraform-token:
+    description: Terraform Token to use in terraform
+    required: true
+  github-token:
+    description: Github Token to use for terraform comment
+    required: true 
   
 runs:
   using: 'composite'
@@ -59,12 +68,24 @@ runs:
           tfenv install
           tfenv use
           terraform init
+    - name: Save off terraform token
+      shell: bash
+      env:
+        TERRAFORM_TOKEN: ${{ input.terraform-token }}
+      run: |
+        rc="credentials \"app.terraform.io\" { "
+        rc="${rc} token=\"$TERRAFORM_TOKEN\" "
+        rc="${rc}}"
+        echo "$rc" > ~/.terraformrc
 
     # Once TFCMT supports no change applies, change terraform apply to
     # tfcmt --var target:${{ inputs.scope }}-${{ inputs.environment }} apply -- terraform apply -auto-approve -lock-timeout=10m
     # https://github.com/suzuki-shunsuke/tfcmt/issues/1184
     - name: Plan/Apply CDKTF
       shell: bash
+      env:
+        TERRAFORM_TOKEN: ${{ input.pagerduty-token }}
+        GITHUB_TOKEN: ${{ input.github-token }}
       run: |
         cd ${{ inputs.stack-output-path }}
         if [ "${{ inputs.behavior }}" = "apply" ]; then
diff --git a/.github/workflows/infrastructure.yml b/.github/workflows/infrastructure.yml
index 3dcff59d7..88d048721 100644
--- a/.github/workflows/infrastructure.yml
+++ b/.github/workflows/infrastructure.yml
@@ -20,10 +20,11 @@ on:
         description: "The output of terraform apply"
         value: ${{ jobs.apply.outputs.terraform-output }}
 
-# Allow Terraform Comment to write to PRs
 permissions:
-  pull-requests: write  
-  
+  pull-requests: write   # Allow Terraform Comment to write to PRs
+  contents: read  # This is required for actions/checkout
+  id-token: write  # Access the Github JWT for AWS access
+
 jobs:
 
   # TODO: These need to request AWS credentials to run terraform
@@ -34,15 +35,24 @@ jobs:
       steps:
         - name: Checkout
           uses: actions/checkout@v4
-
+        # Get the AWS credentials
+        - name: AWS Credentials
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+            aws-region: us-east-1
+            role-to-assume: arn:aws:iam::410318598490:role/GithubTesting-Daniel
         - name: Execute CDKTF
           if: inputs.raw-terraform == false
           uses: ./.github/actions/cdktf
           with:
             stack-output-path: ${{inputs['stack-output-path']}}
             scope: ${{inputs['scope']}}
-            environment: production
+            environment: development #production
             behavior: plan
+            github-token: ${{ secrets.GITHUB_TOKEN }}
+            pagerduty-token: ${{ secrets.PAGERDUTY_TOKEN }}
+            terraform-token: ${{ secrets.TERRAFORM_TOKEN }}
+
         - name: Execute Raw Terraform
           if: inputs.raw-terraform == true
           uses: ./.github/actions/raw-terraform
@@ -51,6 +61,9 @@ jobs:
             scope: ${{inputs['scope']}}
             environment: production
             behavior: plan
+            github-token: ${{ secrets.GITHUB_TOKEN }}
+            pagerduty-token: ${{ secrets.PAGERDUTY_TOKEN }}
+            terraform-token: ${{ secrets.TERRAFORM_TOKEN }}
 
     apply:
       if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main'
@@ -69,6 +82,9 @@ jobs:
             scope: ${{inputs['scope']}}
             environment: development
             behavior: apply
+            github-token: ${{ secrets.GITHUB_TOKEN }}
+            pagerduty-token: ${{ secrets.PAGERDUTY_TOKEN }}
+            terraform-token: ${{ secrets.TERRAFORM_TOKEN }}
         - name: Execute Developement Raw Terraform
           if: inputs.raw-terraform == true && github.ref == 'refs/heads/dev'
           uses: ./.github/actions/raw-terraform
@@ -77,6 +93,9 @@ jobs:
             scope: ${{inputs['scope']}}
             environment: development
             behavior: apply
+            github-token: ${{ secrets.GITHUB_TOKEN }}
+            pagerduty-token: ${{ secrets.PAGERDUTY_TOKEN }}
+            terraform-token: ${{ secrets.TERRAFORM_TOKEN }}
 
         - name: Execute Production CDKTF
           if: inputs.raw-terraform == false && github.ref == 'refs/heads/main'
@@ -86,6 +105,10 @@ jobs:
             scope: ${{inputs['scope']}}
             environment: production
             behavior: apply
+            github-token: ${{ secrets.GITHUB_TOKEN }}
+            pagerduty-token: ${{ secrets.PAGERDUTY_TOKEN }}
+            terraform-token: ${{ secrets.TERRAFORM_TOKEN }}
+
         - name: Execute Production Raw Terraform
           if: inputs.raw-terraform == true && github.ref == 'refs/heads/main'
           uses: ./.github/actions/raw-terraform
@@ -94,6 +117,10 @@ jobs:
             scope: ${{inputs['scope']}}
             environment: production
             behavior: apply
+            github-token: ${{ secrets.GITHUB_TOKEN }}
+            pagerduty-token: ${{ secrets.PAGERDUTY_TOKEN }}
+            terraform-token: ${{ secrets.TERRAFORM_TOKEN }}
+
         - name: Set Output Based on Condition
           id: set_output
           run: |
diff --git a/.github/workflows/list-api.yml b/.github/workflows/list-api.yml
index 00d7ca5ac..87bfced4c 100644
--- a/.github/workflows/list-api.yml
+++ b/.github/workflows/list-api.yml
@@ -39,7 +39,7 @@ jobs:
   infrastructure:
     uses: ./.github/workflows/infrastructure.yml
     with:
-      scope: user-api-cdk
+      scope: list-api-cdk
       stack-output-path: infrastructure/list-api/cdktf.out/stacks/list-api
     # Ensure the re-usable workflow is allowed to access the secrets
     secrets: inherit
\ No newline at end of file