Skip to content

[FEATURE] Add shared OpenTofu reusable workflows#41

Merged
John McCall (lowlydba) merged 3 commits into
mainfrom
add-shared-tofu-workflows
Jun 30, 2026
Merged

[FEATURE] Add shared OpenTofu reusable workflows#41
John McCall (lowlydba) merged 3 commits into
mainfrom
add-shared-tofu-workflows

Conversation

@lowlydba

Copy link
Copy Markdown
Contributor

Closes #40

Ports shared-tofu-plan.yaml and shared-tofu-apply.yaml from the private omf-github-terraform repo to this public repo.

The root cause: zizmor online audits (ref-confusion, impostor-commit) verify branch/tag refs by calling the GitHub API on the target repo. The GITHUB_TOKEN is always repo-scoped and cannot read a different repo, even with Actions sharing enabled -- those are separate permission systems. Moving the workflows here (public) lets zizmor verify refs without any token.

Notable change: oidc_role_arn is now a required input with no default. The previous default was the Internal Tools OIDC hub role ARN; callers must now pass it explicitly. Existing callers (omf-identity-center-terraform, omf-managed-environments-terraform, etc.) will need a follow-up update to their uses: path and to add the oidc_role_arn input.

Port shared-tofu-plan and shared-tofu-apply from the private
omf-github-terraform repo to this public repo so zizmor online
audits (ref-confusion, impostor-commit) can verify refs without
a cross-repo token.

Changes vs omf-github-terraform version:
- oidc_role_arn is now required with no default; callers must pass
  the IAM role ARN explicitly
- actions/checkout bumped to v4.2.2 (SHA-pinned)

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Signed-off-by: John McCall <john@overturemaps.org>
@overture-projection

overture-projection Bot commented Jun 30, 2026

Copy link
Copy Markdown

Overture PRojection Review

This PR ports shared OpenTofu reusable workflows from a private repo to enable public ref verification, and updates OIDC role input requirements.

✅ Checks Passed

  • The workflows are ported as described, with the notable change that oidc_role_arn is now required and has no default, matching the stated intent.
  • Linked issue is present and correctly referenced.
  • No hardcoded secrets or AWS credentials are visible.
  • AWS ops are handled at the workflow level, not in Airflow DAGs.
  • No hardcoded POSIX paths; all paths are parameterized or default to ..
  • License is MIT and no new repo root is added.

🚩 Flags

  • .github/workflows/shared-tofu-plan.yaml / shared-tofu-apply.yaml: No tests are included (Tests: ❌ none in diff). Since these are reusable workflows, this is expected, but if any logic changes are made in the future, consider adding workflow-level validation or test runs.
  • .github/workflows/shared-tofu-apply.yaml: lines 89-98 & shared-tofu-plan.yaml: lines 87-96
    The environment variable masking logic uses cut -d'=' -f2- on secrets, which assumes all secret values are in KEY=VALUE format. If secrets are not formatted this way, masking may not work as intended, potentially exposing secret values in logs.
    Recommendation: Confirm that all secrets passed via env_secret and tofu_secret_variables are consistently formatted as KEY=VALUE. If not, update the masking logic to handle plain values or other formats.

❓ Open Questions

  • .github/workflows/shared-tofu-apply.yaml / shared-tofu-plan.yaml:
    The Azure OIDC setup (azure_oidc input) installs the Azure CLI but does not appear to perform an explicit login. Is this sufficient for all use cases, or should a login step be included for workflows requiring Azure authentication?

Context Files

  • Guidance on code consistency and licensing is followed; MIT license is present.
  • GitHub usage guidelines are respected, including issue linkage and workflow structure.

No blocking bugs or security issues found. The main process flag is around secret masking logic—please confirm secret formats or update masking as needed. Otherwise, the port and workflow changes are sound.

- Move permissions from workflow level to job level with explanatory
  comments (fixes excessive-permissions in apply, undocumented-permissions
  in plan)
- Add persist-credentials: false to checkout steps (fixes artipacked)
- Fix template-injection: pass inputs.env and secrets via step env vars
  instead of direct template expansion; drop echo -e in favour of plain echo
- Add ref-version-mismatch to existing zizmor:ignore directives in
  check-linked-issue and overture-projection actions

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Signed-off-by: John McCall <john@overturemaps.org>
Zizmor flags missing top-level permissions block as excessive-permissions
(default permissions used). Add permissions: {} at workflow scope so
callers get deny-all by default; job-level grants remain unchanged.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

Signed-off-by: John McCall <john@overturemaps.org>
@detjensrobert

Copy link
Copy Markdown

There are a couple LF tofu workflows we created that we may want to add here and use: combo plan-and-apply for manual runs so that the CI apply doesn't need workflow-dispatch, and a check-drift job for alerts.

@lowlydba John McCall (lowlydba) marked this pull request as ready for review June 30, 2026 18:08
@lowlydba John McCall (lowlydba) requested a review from a team as a code owner June 30, 2026 18:08
Copilot AI review requested due to automatic review settings June 30, 2026 18:08

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Ports the shared OpenTofu reusable plan/apply workflows into this public workflows repository so zizmor online audits can verify workflow refs without cross-repo GITHUB_TOKEN access constraints.

Changes:

  • Added new reusable workflows: shared-tofu-plan.yaml and shared-tofu-apply.yaml for standardized OpenTofu plan/apply execution via AWS OIDC.
  • Updated composite actions to suppress an additional zizmor finding (ref-version-mismatch) on actions/create-github-app-token.
  • Adjusted the reusable workflow API so callers must explicitly provide oidc_role_arn (no implicit default).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 8 comments.

File Description
.github/workflows/shared-tofu-plan.yaml New reusable workflow implementing an OpenTofu “plan” job with AWS OIDC + optional extras (secrets manager, artifacts).
.github/workflows/shared-tofu-apply.yaml New reusable workflow implementing an OpenTofu “apply” job mirroring the plan workflow and adding an Azure-related pre-run hook.
.github/actions/overture-projection/action.yml Adds an extra zizmor ignore annotation on the pinned create-github-app-token action reference.
.github/actions/check-linked-issue/action.yml Adds an extra zizmor ignore annotation on the pinned create-github-app-token action reference.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/shared-tofu-plan.yaml
Comment thread .github/workflows/shared-tofu-apply.yaml
Comment thread .github/workflows/shared-tofu-plan.yaml
Comment thread .github/workflows/shared-tofu-apply.yaml
Comment thread .github/workflows/shared-tofu-plan.yaml
Comment thread .github/workflows/shared-tofu-apply.yaml
Comment thread .github/actions/overture-projection/action.yml
Comment thread .github/actions/check-linked-issue/action.yml
@lowlydba

Copy link
Copy Markdown
Contributor Author

There are a couple LF tofu workflows we created that we may want to add here and use: combo plan-and-apply for manual runs so that the CI apply doesn't need workflow-dispatch, and a check-drift job for alerts.

Lets add em! Those sound great

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

@lowlydba John McCall (lowlydba) merged commit 1845de2 into main Jun 30, 2026
10 checks passed
@lowlydba John McCall (lowlydba) deleted the add-shared-tofu-workflows branch June 30, 2026 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[FEATURE] Port shared OpenTofu reusable workflows from omf-github-terraform

4 participants