PoC: Implement Role-Based Access Control Using Terraform’s terraform.applying Feature

[sukeshreddyg]

User Story

As a Modernisation Platform Engineer,
I want to ensure that Terraform selects the appropriate role during plan and apply operations using terraform.applying, so that we use the correct permissions (read-only for plan and admin for apply) without affecting local runs.

Value / Purpose

This implementation will help ensure that the correct permissions are used during Terraform operations. By using terraform.applying to differentiate between plan and apply, we can enforce stricter security and operational controls, ensuring the right role with appropriate permissions is used.

Context / Background

Terraform introduced the terraform.applying feature in version 1.10.

We have two roles in the MP account:

• github-actions-plan (read-only permissions)
• github-actions-apply (admin permissions)

The plan role should be applied to branches other than main, and the apply role should only be applied to the main branch. These roles are already created in the MP account. We want to use terraform.applying to ensure the correct role is selected based on the branch and operation.

Useful Contacts

No response

Additional Information

• github-actions-plan role is for non-main branches and has read-only permissions.
• github-actions-apply role is for the main branch and has admin permissions.

Definition of Done

• I am unable to run Terraform Apply on branches and pull requests by modifying the GitHub Workflow files only for the MP repository.
• Local Terraform runs remain unaffected.
• CI/CD processes continue to work as usual
• The solution is tested and validated to work as expected within the MP repository.