Skip to content

Separate plan and apply roles for incubator terraform #146

New issue
New issue
Open
Task
Open
Separate plan and apply roles for incubator terraform#146
Task
Assignees
Benettonkkb
Labels
complexity: missingfeature: missingrole: missingsize: missing
Milestone
02 security
@ale210

Description

@ale210
ale210
opened on Jan 22, 2026

Overview

To reduce risk and not allow terraform plan operations to make changes, we should separate the plan and apply roles that incubator assumes for various operations

Action Items

  • in the devops-security repo, create the role incubator-tf-plan, with the ReadOnlyAccess policy applied. The trust policy, should remain the same as the existing gha-incubator role
  • in the role-to-assume in `/.github/workflows/terraform-plan.yaml', change the role to the newly created role in the previous step
  • in the devops-security repo, create the role incubator-tf-apply, with the AdminstatorAccess policy applied. The trust policy should only include "repo:hackforla/incubator:ref:refs/heads/main",
  • in the role-to-assume in `/.github/workflows/terraform-apply.yaml', change the role to the newly created role in the previous step

Metadata

Metadata

Assignees

Labels

complexity: missingfeature: missingrole: missingsize: missing

Type

Task

Projects

CoP: DevOps: Project Board

Status

In progress (actively working)

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions