Merge pull request #3604 from nhsuk/policy_version_sync

bogsi17 · web-flow · commit 1b0fe5e515ed · 2025-05-29T08:53:57.000+01:00
Policy version sync
diff --git a/.github/workflows/deploy-infrastructure.yml b/.github/workflows/deploy-infrastructure.yml
@@ -39,15 +39,63 @@ env:
   aws_role: ${{ inputs.environment == 'production'
     && 'arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure'
     || 'arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure' }}
+  aws_account_id: ${{ inputs.environment == 'production'
+    && '820242920762' || '393416225559' }}
 
 defaults:
   run:
     working-directory: terraform/app
 
 jobs:
+  validate-permissions:
+    name: Validate permissions
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    outputs:
+      policy-mismatch: ${{ steps.compare-permissions.outputs.policy_mismatch }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.image_tag || github.sha }}
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws_role }}
+          aws-region: eu-west-2
+      - name: Compare permissions
+        id: compare-permissions
+        run: |
+          ../scripts/validate-github-actions-policy.sh arn:aws:iam::${{ env.aws_account_id }}:policy/DeployMavisResources ../resources/github_actions_policy.json
+
+  update-permissions:
+    name: Update permissions
+    runs-on: ubuntu-latest
+    needs: validate-permissions
+    if: inputs.environment == 'production' && needs.validate-permissions.outputs.policy-mismatch == 'true'
+    environment: ${{ inputs.environment }}
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.image_tag || github.sha }}
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws_role }}
+          aws-region: eu-west-2
+      - name: Update IAM policy
+        run: |
+          ../scripts/update-github-actions-policy.sh arn:aws:iam::${{ env.aws_account_id }}:policy/DeployMavisResources ../resources/github_actions_policy.json
+
   plan:
     name: Terraform plan
     runs-on: ubuntu-latest
+    needs: [validate-permissions, update-permissions]
+    if: always() && (needs.validate-permissions.outputs.policy-mismatch != 'true' || needs.update-permissions.result == 'success')
     permissions:
       id-token: write
     steps:
diff --git a/terraform/scripts/update-github-actions-policy.sh b/terraform/scripts/update-github-actions-policy.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 <policy-arn> <policy-file>"
+    exit 1
+fi
+
+POLICY_ARN=$1
+POLICY_FILE=$2
+
+# Get existing policy versions
+EXISTING_VERSIONS=$(aws iam list-policy-versions --policy-arn "$POLICY_ARN" --query 'Versions[].VersionId' --output text)
+
+# If there are 5 or more versions, delete the oldest one
+if [ "$(echo "$EXISTING_VERSIONS" | wc -w)" -ge 5 ]; then
+    OLDEST_VERSION=$(echo "$EXISTING_VERSIONS" | awk '{print $NF}')
+    echo "Deleting oldest version: $OLDEST_VERSION"
+    aws iam delete-policy-version --policy-arn "$POLICY_ARN" --version-id "$OLDEST_VERSION"
+else
+    echo "No need to delete any policy versions."
+fi
+
+# Create a new version of the policy
+aws iam create-policy-version --policy-arn "$POLICY_ARN" --policy-document "file://$POLICY_FILE" --set-as-default
diff --git a/terraform/scripts/validate-github-actions-policy.sh b/terraform/scripts/validate-github-actions-policy.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 <policy-arn> <policy-file>"
+    exit 1
+fi
+
+POLICY_ARN=$1
+POLICY_FILE=$2
+
+VERSION_ID=$(aws iam get-policy --policy-arn "$POLICY_ARN" --query 'Policy.DefaultVersionId' --output text)
+aws iam get-policy-version --policy-arn "$POLICY_ARN" --version-id "$VERSION_ID" --query 'PolicyVersion.Document' --output json > deployed_policy.json
+
+jq -S . deployed_policy.json > deployed_policy_sorted.json
+jq -S . "$POLICY_FILE" > github_actions_policy_sorted.json
+
+POLICY_DIFF=$(diff --unified deployed_policy_sorted.json github_actions_policy_sorted.json)
+if [ -n "$POLICY_DIFF" ]; then
+  echo "Policy mismatch detected: $POLICY_DIFF"
+  echo "policy_mismatch=true" >> "$GITHUB_OUTPUT"
+else
+  echo "No policy mismatch detected"
+fi
