From 790f7d8e5b0eb59d4d43fbaf4ed1185429a4ff8c Mon Sep 17 00:00:00 2001
From: brunograna <brunogarciarana@gmail.com>
Date: Wed, 29 May 2024 10:15:24 -0300
Subject: [PATCH 1/7] fix: change output for destroy step

---
 .github/workflows/terraform.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 6a07abd..0f1f26c 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -35,8 +35,8 @@ jobs:
         run: |
           DESTROY_DEV="$(jq -r '.dev' ./infra/destroy_config.json)"
           DESTROY_PROD="$(jq -r '.prod' ./infra/destroy_config.json)"
-          echo "::set-output name=destroy_dev::$DESTROY_DEV"
-          echo "::set-output name=destroy_prod::$DESTROY_PROD"
+          echo "destroy_dev=$(echo $DESTROY_DEV)" >> $GITHUB_OUTPUT
+          echo "destroy_prod=$(echo $DESTROY_PROD)" >> $GITHUB_OUTPUT
 
       - name: Terraform Init
         run: |

From 2993de94609cbcddea8745ba34b902a42397f93f Mon Sep 17 00:00:00 2001
From: brunograna <brunogarciarana@gmail.com>
Date: Wed, 29 May 2024 10:18:16 -0300
Subject: [PATCH 2/7] fix: update actions version

---
 .github/workflows/terraform.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 0f1f26c..25ee816 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -16,15 +16,15 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: 1.8.3
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v2
+        uses: aws-actions/configure-aws-credentials@v3
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

From fe7a5b418dd37b63115f771cb58f931ba2c21d6b Mon Sep 17 00:00:00 2001
From: brunograna <brunogarciarana@gmail.com>
Date: Wed, 29 May 2024 10:20:23 -0300
Subject: [PATCH 3/7] fix: update actions version

---
 .github/workflows/terraform.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 25ee816..6ca2072 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v3
@@ -24,7 +24,7 @@ jobs:
           terraform_version: 1.8.3
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v3
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

From 1882332cdb83d4480e4b5eb6cb504faf16f3afcb Mon Sep 17 00:00:00 2001
From: brunograna <brunogarciarana@gmail.com>
Date: Wed, 29 May 2024 10:37:16 -0300
Subject: [PATCH 4/7] feat: change to use assume role

---
 .github/workflows/terraform.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 6ca2072..0b53b43 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -26,9 +26,11 @@ jobs:
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::179916804929:role/BuildRun-GithubActions-Role #change to reflect your IAM role’s ARN
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+#          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+#          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+#          aws-region: ${{ vars.AWS_REGION }}
 
       - name: Read destroy configuration
         id: read-destroy-config

From 3ac147562f6d73d6246bdb7f4fe31d79404b85ba Mon Sep 17 00:00:00 2001
From: brunograna <brunogarciarana@gmail.com>
Date: Wed, 29 May 2024 10:37:36 -0300
Subject: [PATCH 5/7] feat: change to use assume role

---
 .github/workflows/terraform.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 0b53b43..5f29254 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -30,7 +30,7 @@ jobs:
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
 #          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
 #          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-#          aws-region: ${{ vars.AWS_REGION }}
+          aws-region: ${{ vars.AWS_REGION }}
 
       - name: Read destroy configuration
         id: read-destroy-config

From 1abb5417fec64ef281436dda1d92c0dd5700de0c Mon Sep 17 00:00:00 2001
From: brunograna <brunogarciarana@gmail.com>
Date: Wed, 29 May 2024 10:39:04 -0300
Subject: [PATCH 6/7] feat: change to use assume role

---
 .github/workflows/terraform.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 5f29254..8607022 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -6,6 +6,11 @@ on:
       - develop
       - main
 
+# Permission can be added at job level or workflow level
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
 jobs:
   terraform:
     runs-on: ubuntu-latest

From 2156679e1e1eb62c2de89de4cf60a32ac25eaa06 Mon Sep 17 00:00:00 2001
From: brunograna <brunogarciarana@gmail.com>
Date: Wed, 29 May 2024 10:43:18 -0300
Subject: [PATCH 7/7] feat: separate actions per env

---
 .github/workflows/terraform-dev.yml           | 72 +++++++++++++++++++
 .../{terraform.yml => terraform-prod.yml}     | 31 +-------
 2 files changed, 75 insertions(+), 28 deletions(-)
 create mode 100644 .github/workflows/terraform-dev.yml
 rename .github/workflows/{terraform.yml => terraform-prod.yml} (64%)

diff --git a/.github/workflows/terraform-dev.yml b/.github/workflows/terraform-dev.yml
new file mode 100644
index 0000000..f93951e
--- /dev/null
+++ b/.github/workflows/terraform-dev.yml
@@ -0,0 +1,72 @@
+name: "[DEV] - Terraform Deployment"
+
+on:
+  push:
+    branches:
+      - develop
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.8.3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::179916804929:role/BuildRun-GithubActions-Role
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Read destroy configuration
+        id: read-destroy-config
+        run: |
+          DESTROY_DEV="$(jq -r '.dev' ./infra/destroy_config.json)"
+          echo "destroy_dev=$(echo $DESTROY_DEV)" >> $GITHUB_OUTPUT
+
+      - name: Terraform Init
+        run: |
+          cd infra && terraform init \
+            -backend-config="bucket=${{ vars.TERRAFORM_S3_STATEFILE_BUCKET }}" \
+            -backend-config="key=${{ github.event.repository.name }}" \
+            -backend-config="region=${{ env.AWS_REGION }}" \
+            -backend-config="dynamodb_table=${{ vars.TERRAFORM_DYNAMODB_LOCK_TABLE }}"
+
+      - name: Terraform Validate
+        run: terraform validate
+
+      - name: Terraform Destroy for Dev
+        if: steps.read-destroy-config.outputs.destroy_dev == 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
+        id: terraform-destroy-dev
+        run: cd infra &&
+          terraform workspace select dev || terraform workspace new dev &&
+          terraform destroy -var-file="./envs/dev/terraform.tfvars" -auto-approve
+
+      - name: Terraform Plan for Dev
+        if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
+        id: terraform-plan-dev
+        run: cd infra &&
+          terraform workspace select dev || terraform workspace new dev &&
+          terraform plan -var-file="./envs/dev/terraform.tfvars" -out=dev.plan
+
+      - name: Terraform Apply for Dev
+        id: terraform-apply-dev
+        if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
+        run: cd infra &&
+          terraform workspace select dev || terraform workspace new dev &&
+          terraform apply "dev.plan"
\ No newline at end of file
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform-prod.yml
similarity index 64%
rename from .github/workflows/terraform.yml
rename to .github/workflows/terraform-prod.yml
index 8607022..be3f462 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform-prod.yml
@@ -1,15 +1,13 @@
-name: Terraform Deployment
+name: "[PROD] - Terraform Deployment"
 
 on:
   push:
     branches:
-      - develop
       - main
 
-# Permission can be added at job level or workflow level
 permissions:
-  id-token: write   # This is required for requesting the JWT
-  contents: read    # This is required for actions/checkout
+  id-token: write
+  contents: read
 
 jobs:
   terraform:
@@ -33,8 +31,6 @@ jobs:
         with:
           role-to-assume: arn:aws:iam::179916804929:role/BuildRun-GithubActions-Role #change to reflect your IAM role’s ARN
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
-#          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-#          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ vars.AWS_REGION }}
 
       - name: Read destroy configuration
@@ -56,27 +52,6 @@ jobs:
       - name: Terraform Validate
         run: terraform validate
 
-      - name: Terraform Destroy for Dev
-        if: steps.read-destroy-config.outputs.destroy_dev == 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
-        id: terraform-destroy-dev
-        run: cd infra &&
-          terraform workspace select dev || terraform workspace new dev &&
-          terraform destroy -var-file="./envs/dev/terraform.tfvars" -auto-approve
-
-      - name: Terraform Plan for Dev
-        if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
-        id: terraform-plan-dev
-        run: cd infra &&
-          terraform workspace select dev || terraform workspace new dev &&
-          terraform plan -var-file="./envs/dev/terraform.tfvars" -out=dev.plan
-
-      - name: Terraform Apply for Dev
-        id: terraform-apply-dev
-        if: steps.read-destroy-config.outputs.destroy_dev != 'true' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
-        run: cd infra &&
-          terraform workspace select dev || terraform workspace new dev &&
-          terraform apply "dev.plan"
-
       - name: Terraform Destroy for Prod
         if: steps.read-destroy-config.outputs.destroy_prod == 'true' && github.ref == 'refs/heads/main' && github.event_name == 'push'
         id: terraform-destroy-prod