From a1c5beb02b4528524678ad0dace3329a4a775bcc Mon Sep 17 00:00:00 2001
From: Nicholas Warila <33955773+NWarila@users.noreply.github.com>
Date: Sat, 20 Jun 2026 21:22:31 +0000
Subject: [PATCH] ci(reusable): gate terraform apply behind explicit input

---
 .github/workflows/reusable-terraform-deploy.yaml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/reusable-terraform-deploy.yaml b/.github/workflows/reusable-terraform-deploy.yaml
index 93d40ae..a983a15 100644
--- a/.github/workflows/reusable-terraform-deploy.yaml
+++ b/.github/workflows/reusable-terraform-deploy.yaml
@@ -15,7 +15,8 @@ name: Reusable Terraform Deploy
 # 3. Imports any already-existing repository and repository-ruleset resources
 #    into state before planning. This lets the framework adopt a pre-existing
 #    fleet without trying to create resources that already exist.
-# 4. Runs terraform init/plan/apply against the assembled tree.
+# 4. Runs terraform init/plan against the assembled tree; apply only runs when
+#    the caller explicitly sets `apply: true`.
 #
 # S3 layout convention
 # --------------------
@@ -102,6 +103,14 @@ on:
         required: false
         type: boolean
         default: false
+      apply:
+        description: |
+          When true, apply the real-state Terraform plan. Leave false to produce
+          and upload a real-state plan without changing managed resources.
+          Ignored when plan_only is true.
+        required: false
+        type: boolean
+        default: false
     secrets:
       aws_role_arn:
         description: ARN of the AWS role to assume via OIDC.
@@ -484,7 +493,7 @@ jobs:
           retention-days: 90
 
       - name: Terraform apply
-        if: ${{ !inputs.plan_only }}
+        if: ${{ inputs.apply && !inputs.plan_only }}
         working-directory: framework/terraform
         run: terraform apply -auto-approve tfplan