From 7b7db018f8284f53965dbaf1ac4c0f25721666e7 Mon Sep 17 00:00:00 2001 From: cloudneutral Date: Thu, 11 Dec 2025 01:44:48 +0800 Subject: [PATCH 1/2] Configure AWS workflows to assume deploy role --- .../terraform-standard-iac-pipeline-aws-account-matrix.yaml | 3 +++ ...-standard-iac-pipeline-aws-global-landingzone-baseline.yaml | 3 +++ .../terraform-standard-iac-pipeline-aws-resources-matrix.yaml | 3 +++ 3 files changed, 9 insertions(+) diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml index 34bc0e80..c1cdbc64 100644 --- a/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml +++ b/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml @@ -17,6 +17,7 @@ env: AWS_REGION: ap-northeast-1 BASE_DIR: iac-template/terraform-hcl-standard/aws-cloud/component/ DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }} + AWS_ROLE_ARN: arn:aws:iam::950604983695:role/IacDeployRole jobs: terraform: @@ -46,6 +47,8 @@ jobs: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ env.AWS_REGION }} + role-to-assume: ${{ env.AWS_ROLE_ARN }} + role-session-name: github-actions - name: Init working-directory: ${{ env.BASE_DIR }}/${{ matrix.component }} diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml index 3f2515b0..60c06537 100644 --- a/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml +++ b/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml @@ -23,6 +23,7 @@ on: env: TF_WORKDIR: iac-template/terraform-hcl-standard/aws-cloud DEPLOY_ACTION: ${{ github.event.inputs.deploy_action || 'plan' }} + AWS_ROLE_ARN: arn:aws:iam::950604983695:role/IacDeployRole jobs: # ------------------------------------------------------- @@ -45,6 +46,8 @@ jobs: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.AWS_REGION }} + role-to-assume: ${{ env.AWS_ROLE_ARN }} + role-session-name: github-actions - name: Terraform Init (LandingZone) working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml index 394ca570..508b3568 100644 --- a/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml +++ b/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml @@ -17,6 +17,7 @@ env: BASE_DIR: iac-template/terraform-hcl-standard/aws-cloud/envs AWS_REGION: ap-northeast-1 DRY_RUN: ${{ github.event.inputs.dry_run || 'true' }} + AWS_ROLE_ARN: arn:aws:iam::950604983695:role/IacDeployRole jobs: terraform: @@ -46,6 +47,8 @@ jobs: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ env.AWS_REGION }} + role-to-assume: ${{ env.AWS_ROLE_ARN }} + role-session-name: github-actions - name: Init working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }} From f7ad7c4aef6687f5f98bf566cc26071efdd25dcb Mon Sep 17 00:00:00 2001 From: cloudneutral Date: Thu, 11 Dec 2025 01:50:55 +0800 Subject: [PATCH 2/2] Skip session tagging for AWS credential steps --- .../terraform-standard-iac-pipeline-aws-account-matrix.yaml | 1 + ...rm-standard-iac-pipeline-aws-global-landingzone-baseline.yaml | 1 + .../terraform-standard-iac-pipeline-aws-resources-matrix.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml index c1cdbc64..30b5d5fb 100644 --- a/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml +++ b/.github/workflows/terraform-standard-iac-pipeline-aws-account-matrix.yaml @@ -49,6 +49,7 @@ jobs: aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ env.AWS_ROLE_ARN }} role-session-name: github-actions + role-skip-session-tagging: true - name: Init working-directory: ${{ env.BASE_DIR }}/${{ matrix.component }} diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml index 60c06537..43f2f5bc 100644 --- a/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml +++ b/.github/workflows/terraform-standard-iac-pipeline-aws-global-landingzone-baseline.yaml @@ -48,6 +48,7 @@ jobs: aws-region: ${{ secrets.AWS_REGION }} role-to-assume: ${{ env.AWS_ROLE_ARN }} role-session-name: github-actions + role-skip-session-tagging: true - name: Terraform Init (LandingZone) working-directory: ${{ env.TF_WORKDIR }}/envs/dev-landingzone diff --git a/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml b/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml index 508b3568..56ab558c 100644 --- a/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml +++ b/.github/workflows/terraform-standard-iac-pipeline-aws-resources-matrix.yaml @@ -49,6 +49,7 @@ jobs: aws-region: ${{ env.AWS_REGION }} role-to-assume: ${{ env.AWS_ROLE_ARN }} role-session-name: github-actions + role-skip-session-tagging: true - name: Init working-directory: ${{ env.BASE_DIR }}/${{ matrix.env }}