feat(iac-deploy): Create reusable workflow for iac deployments

[chris3ware]

The purpose of this workflow is to create a plan comment in the pull request and apply, via merge queue on merge.

Successful applies will trigger code promotion, where the workflow can be called again to apply to a different environment.

The environment is provided via an input.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/cache	5a3ec84eff668545956fd18022155c47e93e2684	🟢 7.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 26 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy 🟢 9 security policy file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 9 1 existing vulnerabilities detected
actions/actions/checkout	11bd71901bbe5b1630ceea73d27597364c9af683	🟢 5.9	Details Check Score Reason Maintained ⚠️ 2 2 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/aws-actions/configure-aws-credentials	e3dd6a429d7300a6a4c196c26e071d42e0343502	🟢 5.6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 29 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 5 Found 9/18 approved changesets -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 6 4 existing vulnerabilities detected
actions/op5dev/tf-via-pr	f455e10e6e83d28f53f505a2d8242433a17536f3	Unknown	Unknown
actions/opentofu/setup-opentofu	592200bd4b9bbf4772ace78f887668b1aee8f716	🟢 4.8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Maintained ⚠️ 2 1 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 9 Found 11/12 approved changesets -- score normalized to 9 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 9 1 existing vulnerabilities detected
actions/terraform-linters/setup-tflint	15ef44638cb215296e7ba9e7a41f20b5b06f4784	🟢 5.1	Details Check Score Reason Maintained 🟢 10 27 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review ⚠️ 2 Found 1/5 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy ⚠️ 0 security policy file not detected Pinned-Dependencies 🟢 10 all dependencies are pinned License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/tj-actions/changed-files	c3a1bb2c992d77180ae65be6ae6c166cf40f857c	🟢 6.2	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Code-Review ⚠️ 0 Found 1/14 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 SAST 🟢 8 SAST tool detected but not run on all commits Vulnerabilities 🟢 9 1 existing vulnerabilities detected

Scanned Files

• .github/workflows/iac-deploy.yaml

[github-actions]

Hi and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

Unknown scope "iac-deploy" found in pull request title "feat(iac-deploy): Create reusable workflow for iac deployments". Scope must match one of: checks, commitlint, delete-run, dep-review, get-token, pr-check, pr-title, ossf, release, renovate, terraform-dir, terraform-docs, trunk, workflows.

Please update the title to follow the conventional commit specification. If you need help, feel free to ask! 😊

[chris3ware]

Hi and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

Unknown scope "iac-deploy" found in pull request title "feat(iac-deploy): Create reusable workflow for iac deployments". Scope must match one of: checks, commitlint, delete-run, dep-review, get-token, pr-check, pr-title, ossf, release, renovate, terraform-dir, terraform-docs, trunk, workflows.

Please update the title to follow the conventional commit specification. If you need help, feel free to ask! 😊

This can be ignored. The commit scope has been added to the commitlint config file in this PR

[james3ware]

Successful plan and apply here: 3ware/aws-network-speciality#89

[chris3ware]

Going to close this PR and raise another for code promotion

[3ware-release]

This PR is included in version 4.19.0