Fix Bedrock IAM for cross-region inference profiles #93
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Platform CI | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - 'terraform/platform/**' | |
| - 'terraform/lambda-src/**' | |
| - 'scripts/**' | |
| - '.github/workflows/**' | |
| pull_request: | |
| paths: | |
| - 'terraform/platform/**' | |
| - 'terraform/lambda-src/**' | |
| - 'scripts/**' | |
| - '.github/workflows/**' | |
| schedule: | |
| # Drift detection — Monday 06:00 UTC | |
| - cron: '0 6 * * 1' | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: write | |
| concurrency: | |
| group: platform-ci-${{ github.ref }} | |
| cancel-in-progress: false | |
| env: | |
| TF_ROOT: terraform/platform | |
| AWS_REGION: eu-central-1 | |
| AWS_ACCOUNT_ID: "553637109631" | |
| PLAN_BUCKET: javabin-ci-plan-artifacts-553637109631 | |
| jobs: | |
| # -------------------------------------------------------------------------- | |
| # Plan — terraform init, validate, fmt, plan | |
| # -------------------------------------------------------------------------- | |
| plan: | |
| name: Terraform Plan | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'schedule' | |
| outputs: | |
| has_changes: ${{ steps.plan.outputs.has_changes }} | |
| plan_key: ${{ steps.upload.outputs.plan_key }} | |
| plan_sha256: ${{ steps.upload.outputs.plan_sha256 }} | |
| risk_level: ${{ steps.review.outputs.risk_level }} | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: hashicorp/setup-terraform@v4 | |
| with: | |
| terraform_version: "1.7" | |
| terraform_wrapper: false | |
| - name: Configure AWS credentials via OIDC | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra-plan | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-session-name: javabin-platform-plan-${{ github.run_id }} | |
| - name: Terraform Init | |
| working-directory: ${{ env.TF_ROOT }} | |
| run: terraform init -input=false | |
| - name: Terraform Validate | |
| working-directory: ${{ env.TF_ROOT }} | |
| run: terraform validate | |
| - name: Terraform Format | |
| working-directory: ${{ env.TF_ROOT }} | |
| run: terraform fmt -recursive | |
| - name: Terraform Plan | |
| id: plan | |
| run: scripts/run-plan.sh "${{ env.TF_ROOT }}" -lock-timeout=5m | |
| - name: Upload plan and output to S3 | |
| id: upload | |
| if: steps.plan.outputs.has_changes == 'true' | |
| run: scripts/upload-plan.sh "${{ env.TF_ROOT }}" | |
| - name: Upload Lambda ZIPs as artifact | |
| if: steps.plan.outputs.has_changes == 'true' | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: lambda-zips | |
| path: ${{ env.TF_ROOT }}/lambdas/builds/ | |
| retention-days: 1 | |
| - name: Post plan to PR | |
| if: github.event_name == 'pull_request' | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: sh scripts/post-plan-comment.sh "${{ env.TF_ROOT }}/plan-output.txt" "${{ steps.plan.outputs.has_changes }}" | |
| # ---------------------------------------------------------------- | |
| # LLM Plan Review (inline — plan-output.txt already in workspace) | |
| # ---------------------------------------------------------------- | |
| - name: Run LLM review | |
| id: review | |
| if: steps.plan.outputs.has_changes == 'true' | |
| env: | |
| REVIEW_RESULT_PATH: review-result.json | |
| run: sh scripts/extract-review-risk.sh scripts/review-plan.py "${{ env.TF_ROOT }}/plan-output.txt" | |
| - name: Post review to PR | |
| if: github.event_name == 'pull_request' && steps.plan.outputs.has_changes == 'true' | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: sh scripts/post-review-comment.sh | |
| - name: Post HIGH risk to Slack | |
| if: steps.review.outputs.risk_level == 'HIGH' && github.ref == 'refs/heads/main' | |
| run: sh scripts/notify-high-risk.sh /javabin/slack/platform-override-alerts-webhook "https://github.com/javaBin/platform/actions/workflows/approve-override.yml" | |
| # -------------------------------------------------------------------------- | |
| # Apply — auto-apply on LOW/MEDIUM, block on HIGH | |
| # -------------------------------------------------------------------------- | |
| apply: | |
| name: Terraform Apply | |
| runs-on: ubuntu-latest | |
| needs: plan | |
| if: >- | |
| github.ref == 'refs/heads/main' && | |
| github.event_name == 'push' && | |
| needs.plan.outputs.has_changes == 'true' | |
| environment: production | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: hashicorp/setup-terraform@v4 | |
| with: | |
| terraform_version: "1.7" | |
| terraform_wrapper: false | |
| - uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-session-name: javabin-apply-${{ github.run_id }} | |
| - name: Check risk level | |
| env: | |
| RISK: ${{ needs.plan.outputs.risk_level }} | |
| run: sh scripts/check-risk-block.sh "$RISK" | |
| - name: Download Lambda ZIPs from artifact | |
| uses: actions/download-artifact@v5 | |
| with: | |
| name: lambda-zips | |
| path: ${{ env.TF_ROOT }}/lambdas/builds/ | |
| - name: Download plan from S3 | |
| working-directory: ${{ env.TF_ROOT }} | |
| run: aws s3 cp "s3://${PLAN_BUCKET}/${{ needs.plan.outputs.plan_key }}" tfplan | |
| - name: Verify plan integrity | |
| working-directory: ${{ env.TF_ROOT }} | |
| run: sh "${{ github.workspace }}/scripts/verify-plan.sh" tfplan "${{ needs.plan.outputs.plan_sha256 }}" | |
| - name: Terraform Init | |
| working-directory: ${{ env.TF_ROOT }} | |
| run: terraform init -input=false | |
| - name: Terraform Apply | |
| working-directory: ${{ env.TF_ROOT }} | |
| run: terraform apply -auto-approve -lock-timeout=5m tfplan | |
| # -------------------------------------------------------------------------- | |
| # Drift Detection — scheduled weekly, plan-only | |
| # -------------------------------------------------------------------------- | |
| drift: | |
| name: Drift Detection | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' | |
| steps: | |
| - uses: actions/checkout@v5 | |
| - uses: hashicorp/setup-terraform@v4 | |
| with: | |
| terraform_version: "1.7" | |
| terraform_wrapper: false | |
| - uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra | |
| aws-region: ${{ env.AWS_REGION }} | |
| role-session-name: javabin-drift-${{ github.run_id }} | |
| - name: Terraform Init | |
| working-directory: ${{ env.TF_ROOT }} | |
| run: terraform init -input=false | |
| - name: Check for drift | |
| working-directory: ${{ env.TF_ROOT }} | |
| run: sh "${{ github.workspace }}/scripts/drift-check.sh" /javabin/slack/platform-resource-alerts-webhook "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" |