github-workflows-dojo360-terraform
Deploy infrastructure using Dojo360 Pipelines Infrastructure Workflow with Terraform
Dojo360 Infrastructure Workflow Skill
Overview
This skill enables deployment of cloud infrastructure using the Dojo360 Pipelines infrastructure.yml reusable workflow. The workflow provisions and manages resources on supported CloudBricks° cloud-types using HashiCorp Terraform and supports both OIDC and PCAM authentication methods.
Workflow Reference
Repository: dojo360/pipelines-workflows
Workflow: .github/workflows/infrastructure.yml
Version: v2.0.0 (stable) or @beta (latest)
Documentation: Infrastructure Workflow Docs
Key Features
- Multi-Cloud Support: AWS, Azure, and GCP via supported cloud-types
- Authentication Options:
- OIDC authentication (for
awsOptumandazureOptum) - InstanceProfile authentication (for
awsChc20) - PCAM vaulted access for Azure (non-OIDC)
- OIDC authentication (for
- Terraform Management: Supports remote state management with multiple backend types
- Environment-Specific Configuration: Individual
tfvarsfiles for each environment - Secrets Management: Integration with PRM, Volcan, and Terraform Enterprise
- Plan/Apply Workflow: Standard Terraform plan and apply with optional plan-only mode
Prerequisites
1. Dojo360 Metadata Onboarding
Your product must be onboarded to the Dojo360 Metadata API or have a local metadata file created.
2. OIDC Configuration
Required when using:
cloud-type: awsOptum- AWS OIDC Setupcloud-type: azureOptum- Azure OIDC Setup
3. GitHub Environments
Configure GitHub environments (e.g., dev-us-east-1, nonprod-us-east-1, prod-us-east-1) with appropriate protection rules and approval gates.
Required Inputs
| Input | Description | Example |
|---|---|---|
aide-id | AIDE ID for metadata retrieval | <your-aide-id> |
team-name | Team name for metadata lookup | <your-team-name> |
cloud-type | Target cloud platform | awsOptum, awsChc20, azureOptum |
domain | Domain for metadata organization | default |
environment | Target deployment environment | dev-us-east-1 |
Common Optional Inputs
| Input | Description | Default |
|---|---|---|
terraform-version | Terraform version to use | 1.9.2 |
terraform-directory | Directory containing Terraform code | . |
run-plan-only | Only run plan, skip apply | false |
remote-state-file-name | Remote state file path | "" |
remote-state-folder-name | Remote state folder name | "" |
runner-labels | GitHub runner labels | uhg-runner |
backend-type | Terraform backend type | azurerm |
terraform-vars-files | Comma-separated tfvars files | "" |
terraform-vars-values | JSON string of tfvars | "" |
ref | Git branch/tag/SHA to checkout | Event ref |
Secrets Management
Required Secrets
GH_TOKEN- GitHub Personal Access Token with:repo(all)scopeworkflowscope- SSO authorization to Dojo360 and your GitHub organization
Optional Secrets
JFROG_SAAS_TOKEN- Enterprise Registry (SaaS) Service Account token
Secrets Integration Options
PRM (Privileged Resource Manager):
terraform-prm-secrets: "DB_PASSWORD,API_KEY"
prm-base-url: "https://prm.optum.com"
Volcan:
terraform-volcan-secrets: "SECRET_1,SECRET_2"
volcan-base-url: "volcan-cloud.optum.com"
Terraform Enterprise:
tfe-hostname: "app.terraform.io"
tfe-organization: "your-org"
tfe-workspace: "your-workspace"
Terraform State Management
Azure Backend (Default)
backend-type: "azurerm"
azurerm-backend-resource-group-name: "tfstate-rg"
azurerm-backend-storage-account-name: "tfstatestorage"
azurerm-backend-container-name: "tfstate"
azurerm-backend-key: "terraform.tfstate"
AWS S3 Backend
backend-type: "s3"
aws-s3-bucket-name: "my-terraform-state"
aws-s3-region: "us-east-1"
aws-s3-key: "path/to/terraform.tfstate"
GCP Backend
backend-type: "gcs"
gcs-bucket-name: "my-terraform-state"
gcs-prefix: "path/to/state"
Workflow Jobs
The infrastructure workflow executes the following jobs:
- Setup - Configure authentication and environment
- Plan - Run
terraform planto preview changes - Apply - Execute
terraform applyto deploy infrastructure (unlessrun-plan-only: true) - E2E Tests (Optional) - Run end-to-end tests post-deployment
Usage Examples
Basic AWS OIDC Deployment
name: Deploy Infrastructure
on:
workflow_dispatch:
inputs:
environment:
description: "Select deployment environment"
type: choice
options:
- dev-us-east-1
- nonprod-us-east-1
- prod-us-east-1
required: true
jobs:
deploy:
uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
with:
aide-id: '<change me>'
team-name: '<change me>'
cloud-type: 'awsOptum'
domain: 'default'
environment: ${{ inputs.environment }}
terraform-version: '1.10.5'
terraform-directory: './tf'
remote-state-file-name: "myproject/terraform.tfstate"
runner-labels: "uhg-runner"
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
Plan-Only Mode (PR Validation)
name: Validate Infrastructure Changes
on:
pull_request:
branches: [main]
paths: ['tf/**']
jobs:
validate:
uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
with:
aide-id: '<change me>'
team-name: '<change me>'
cloud-type: 'awsOptum'
domain: 'default'
environment: 'dev-us-east-1'
terraform-directory: './tf'
run-plan-only: true
comment-on-pr: true
pr-number: ${{ github.event.pull_request.number }}
runner-labels: "uhg-runner"
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
Azure Deployment with PCAM
name: Deploy Azure Infrastructure
on:
workflow_dispatch:
inputs:
environment:
description: "Environment"
type: choice
options:
- dev-us-east-1
- nonprod-us-east-1
jobs:
deploy:
uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
with:
aide-id: '<change me>'
team-name: '<change me>'
cloud-type: 'azureOptum'
domain: 'default'
environment: ${{ inputs.environment }}
terraform-directory: './tf'
backend-type: 'azurerm'
azurerm-backend-resource-group-name: 'tfstate-rg'
azurerm-backend-storage-account-name: 'tfstatestorage'
azurerm-backend-container-name: 'tfstate'
pcam-role: 'contributor'
runner-labels: "uhg-runner"
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
Multi-Environment Deployment with tfvars
name: Deploy with Environment-Specific Variables
on:
workflow_dispatch:
inputs:
environment:
type: choice
options:
- dev-us-east-1
- nonprod-us-east-1
jobs:
deploy:
uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
with:
aide-id: '<change me>'
team-name: '<change me>'
cloud-type: 'awsOptum'
domain: 'default'
environment: ${{ inputs.environment }}
terraform-directory: './tf'
terraform-vars-files: "tfvars/${{ inputs.environment }}.tfvars,tfvars/common.tfvars"
terraform-vars-values: '{"project_name":"myproject","region":"us-east-1"}'
runner-labels: "uhg-runner"
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
With PRM Secrets Integration
name: Deploy with PRM Secrets
on:
workflow_dispatch:
inputs:
environment:
type: choice
options:
- dev-us-east-1
- prod-us-east-1
jobs:
deploy:
uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
with:
aide-id: '<change me>'
team-name: '<change me>'
cloud-type: 'awsOptum'
domain: 'default'
environment: ${{ inputs.environment }}
terraform-directory: './tf'
terraform-prm-secrets: "DB_PASSWORD,API_KEY,SERVICE_TOKEN"
prm-base-url: "https://prm.optum.com"
runner-labels: "uhg-runner"
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
With End-to-End Tests
name: Deploy and Test Infrastructure
on:
workflow_dispatch:
inputs:
environment:
type: choice
options: [dev-us-east-1]
jobs:
deploy:
uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
with:
aide-id: '<change me>'
team-name: '<change me>'
cloud-type: 'awsOptum'
domain: 'default'
environment: ${{ inputs.environment }}
terraform-directory: './tf'
e2e-tests-enabled: true
e2e-workflow-file: '.github/workflows/e2e-tests.yml'
e2e-workflow-inputs: '{"test_suite":"smoke","timeout":"300"}'
runner-labels: "uhg-runner"
secrets:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
Cloud-Type Specific Configurations
awsOptum (AWS with OIDC)
- Authentication: OIDC via GitHub Actions
- Runners: Automatically selected based on metadata
- Prerequisites: OIDC configured in AWS IAM
- Terraform Modules: Must use Dojo360 AWS Modules°
awsChc20 (AWS with Instance Profile)
- Authentication: Instance Profile from runners
- Runners: Specific CHC runners with AWS credentials
- Prerequisites: Runner with AWS access configured
- Terraform Modules: Must use Dojo360 AWS Modules°
azureOptum (Azure with OIDC)
- Authentication: OIDC via GitHub Actions
- Runners: Automatically selected
- Prerequisites: OIDC configured in Azure AD
- Terraform Modules: Must use Dojo360 Azure Modules°
Requirements
- Terraform: ~> 1.9.x (configurable via
terraform-version) - AWS Provider: ~> 5.xx (for AWS operations)
- Azure Provider: ~> 3.xx (for Azure operations)
- GCP Provider: ~> 6.xx (for GCP operations)
Project Structure
your-repo/
├── .github/
│ └── workflows/
│ └── infra-creation.yml # This workflow file
├── tf/ # Terraform code directory
│ ├── main.tf
│ ├── variables.tf
│ ├── outputs.tf
│ └── tfvars/
│ ├── dev.tfvars
│ ├── nonprod.tfvars
│ └── prod.tfvars
└── README.md
Best Practices
- Version Pinning: Use specific workflow versions (
@v2.0.0) instead of@betain production - Environment Protection: Configure GitHub environment protection rules for production deployments
- State Management: Always use remote state with appropriate locking mechanisms
- Secrets Security: Never hardcode secrets; use PRM, Volcan, or Terraform Enterprise
- tfvars Organization: Maintain separate tfvars files per environment for clarity
- Runner Selection: Use appropriate runner labels based on cloud-type and security requirements
- Plan Review: Enable
comment-on-prfor pull request-based deployments to review plans - Terraform Version: Pin to tested Terraform versions to ensure consistency
Troubleshooting
Common Issues
-
Authentication Failures
- Verify OIDC configuration for cloud provider
- Check GitHub secrets are properly configured
- Ensure runner has appropriate permissions
-
State Lock Issues
- Use
terraform-opsworkflow to force unlock if needed - Verify backend configuration is correct
- Check state file permissions
- Use
-
Metadata Errors
- Confirm AIDE ID is correct and onboarded
- Verify team-name matches metadata
- Check cloud-type is supported
-
Runner Issues
- Verify runner-labels match available runners
- Check runner has required cloud provider access
- Ensure runner has Terraform and provider tools installed
Related Workflows
- Infrastructure Promotion:
infrastructure-promotion.yml- Multi-environment promotion workflow - Terraform Destroy:
destroy.yml- Resource destruction workflow - Terraform Ops:
terraform-ops.yml- State management operations
Support & Documentation
- Sample Applications: Dojo360 Infrastructure Samples
- CloudBricks° Documentation: Working with CloudBricks
- Supported Cloud Types: Cloud Types Guide
Workflow Evolution
- v1.x: Initial release with basic Terraform support
- v2.0.0: Added SaaS Artifactory support, OIDC improvements
- v2.1.0: Updated default Terraform provider mirror to Enterprise Registry (SaaS)
Note: This skill provides infrastructure deployment capabilities using enterprise-standard patterns for Optum's cloud environments. Always follow your organization's security and compliance guidelines when deploying infrastructure.
Related Assets
github-workflows-dojo360-azure-infrastructure
Deploy Azure infrastructure using Terraform with PCAM vaulted access and native Azure authentication through Dojo360 Azure Infrastructure workflow
Owner: pcorazao
github-workflows-dojo360-container-cd
Deploy containerized applications to AWS ECS/Azure ACS using Dojo360 Container CD workflow with blue-green and rolling update strategies
Owner: pcorazao
github-workflows-dojo360-container-promotion
Multi-environment container deployment promotion through prescribed deployment paths with automated approval gates and E2E testing
Owner: pcorazao
github-workflows-dojo360-database
Automate database schema updates using Liquibase via the Dojo360 database workflow (with rollback and validation patterns)
Owner: pcorazao
github-workflows-dojo360-database-promotion
Promote Liquibase database changes across environments (dev→qa→cert→prod) with deployment-path validation and approval gates
Owner: pcorazao
github-workflows-dojo360-dockerfile-ci
Build and scan container images from a Dockerfile using Optum golden images and the recommended UHG reusable workflow
Owner: pcorazao

