Skip to content

Separate plan and apply roles for incubator terraform #146

New issue
New issue
Open
Open
Separate plan and apply roles for incubator terraform#146
Labels
complexity: missingfeature: missingrole: missingsize: missing
@ale210

Description

@ale210
ale210
opened on Jan 22, 2026

Overview

To reduce risk and not allow terraform plan operations to make changes, we should separate the plan and apply roles that incubator assumes for various operations

Action Items

  • in the devops-security repo, create the role incubator-tf-plan, with the ReadOnlyAccess policy applied. The trust policy, should remain the same as the existing gha-incubator role
  • in the role-to-assume in `/.github/workflows/terraform-plan.yaml', change the role to the newly created role in the previous step
  • in the devops-security repo, create the role incubator-tf-apply, with the AdminstatorAccess policy applied. The trust policy should only include "repo:hackforla/incubator:ref:refs/heads/main",
  • in the role-to-assume in `/.github/workflows/terraform-apply.yaml', change the role to the newly created role in the previous step

Metadata

Metadata

Assignees

No one assigned

    Labels

    complexity: missingfeature: missingrole: missingsize: missing

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions