Skip to content

github-workflows-dojo360-terraform

Deploy infrastructure using Dojo360 Pipelines Infrastructure Workflow with Terraform

active
IDE:
claude
codex
vscode
Version:
1.0.0
Owner:pcorazao
github-actions
workflow
dojo360

Dojo360 Infrastructure Workflow Skill

Overview

This skill enables deployment of cloud infrastructure using the Dojo360 Pipelines infrastructure.yml reusable workflow. The workflow provisions and manages resources on supported CloudBricks° cloud-types using HashiCorp Terraform and supports both OIDC and PCAM authentication methods.

Workflow Reference

Repository: dojo360/pipelines-workflows
Workflow: .github/workflows/infrastructure.yml
Version: v2.0.0 (stable) or @beta (latest)
Documentation: Infrastructure Workflow Docs

Key Features

  • Multi-Cloud Support: AWS, Azure, and GCP via supported cloud-types
  • Authentication Options:
    • OIDC authentication (for awsOptum and azureOptum)
    • InstanceProfile authentication (for awsChc20)
    • PCAM vaulted access for Azure (non-OIDC)
  • Terraform Management: Supports remote state management with multiple backend types
  • Environment-Specific Configuration: Individual tfvars files for each environment
  • Secrets Management: Integration with PRM, Volcan, and Terraform Enterprise
  • Plan/Apply Workflow: Standard Terraform plan and apply with optional plan-only mode

Prerequisites

1. Dojo360 Metadata Onboarding

Your product must be onboarded to the Dojo360 Metadata API or have a local metadata file created.

2. OIDC Configuration

Required when using:

  • cloud-type: awsOptum - AWS OIDC Setup
  • cloud-type: azureOptum - Azure OIDC Setup

3. GitHub Environments

Configure GitHub environments (e.g., dev-us-east-1, nonprod-us-east-1, prod-us-east-1) with appropriate protection rules and approval gates.

Required Inputs

InputDescriptionExample
aide-idAIDE ID for metadata retrieval<your-aide-id>
team-nameTeam name for metadata lookup<your-team-name>
cloud-typeTarget cloud platformawsOptum, awsChc20, azureOptum
domainDomain for metadata organizationdefault
environmentTarget deployment environmentdev-us-east-1

Common Optional Inputs

InputDescriptionDefault
terraform-versionTerraform version to use1.9.2
terraform-directoryDirectory containing Terraform code.
run-plan-onlyOnly run plan, skip applyfalse
remote-state-file-nameRemote state file path""
remote-state-folder-nameRemote state folder name""
runner-labelsGitHub runner labelsuhg-runner
backend-typeTerraform backend typeazurerm
terraform-vars-filesComma-separated tfvars files""
terraform-vars-valuesJSON string of tfvars""
refGit branch/tag/SHA to checkoutEvent ref

Secrets Management

Required Secrets

  • GH_TOKEN - GitHub Personal Access Token with:
    • repo(all) scope
    • workflow scope
    • SSO authorization to Dojo360 and your GitHub organization

Optional Secrets

  • JFROG_SAAS_TOKEN - Enterprise Registry (SaaS) Service Account token

Secrets Integration Options

PRM (Privileged Resource Manager):

terraform-prm-secrets: "DB_PASSWORD,API_KEY"
prm-base-url: "https://prm.optum.com"

Volcan:

terraform-volcan-secrets: "SECRET_1,SECRET_2"
volcan-base-url: "volcan-cloud.optum.com"

Terraform Enterprise:

tfe-hostname: "app.terraform.io"
tfe-organization: "your-org"
tfe-workspace: "your-workspace"

Terraform State Management

Azure Backend (Default)

backend-type: "azurerm"
azurerm-backend-resource-group-name: "tfstate-rg"
azurerm-backend-storage-account-name: "tfstatestorage"
azurerm-backend-container-name: "tfstate"
azurerm-backend-key: "terraform.tfstate"

AWS S3 Backend

backend-type: "s3"
aws-s3-bucket-name: "my-terraform-state"
aws-s3-region: "us-east-1"
aws-s3-key: "path/to/terraform.tfstate"

GCP Backend

backend-type: "gcs"
gcs-bucket-name: "my-terraform-state"
gcs-prefix: "path/to/state"

Workflow Jobs

The infrastructure workflow executes the following jobs:

  1. Setup - Configure authentication and environment
  2. Plan - Run terraform plan to preview changes
  3. Apply - Execute terraform apply to deploy infrastructure (unless run-plan-only: true)
  4. E2E Tests (Optional) - Run end-to-end tests post-deployment

Usage Examples

Basic AWS OIDC Deployment

name: Deploy Infrastructure
on:
  workflow_dispatch:
    inputs:
      environment:
        description: "Select deployment environment"
        type: choice
        options:
          - dev-us-east-1
          - nonprod-us-east-1
          - prod-us-east-1
        required: true

jobs:
  deploy:
    uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
    with:
      aide-id: '<change me>'
      team-name: '<change me>'
      cloud-type: 'awsOptum'
      domain: 'default'
      environment: ${{ inputs.environment }}
      terraform-version: '1.10.5'
      terraform-directory: './tf'
      remote-state-file-name: "myproject/terraform.tfstate"
      runner-labels: "uhg-runner"
    secrets:
      GH_TOKEN: ${{ secrets.GH_TOKEN }}

Plan-Only Mode (PR Validation)

name: Validate Infrastructure Changes
on:
  pull_request:
    branches: [main]
    paths: ['tf/**']

jobs:
  validate:
    uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
    with:
      aide-id: '<change me>'
      team-name: '<change me>'
      cloud-type: 'awsOptum'
      domain: 'default'
      environment: 'dev-us-east-1'
      terraform-directory: './tf'
      run-plan-only: true
      comment-on-pr: true
      pr-number: ${{ github.event.pull_request.number }}
      runner-labels: "uhg-runner"
    secrets:
      GH_TOKEN: ${{ secrets.GH_TOKEN }}

Azure Deployment with PCAM

name: Deploy Azure Infrastructure
on:
  workflow_dispatch:
    inputs:
      environment:
        description: "Environment"
        type: choice
        options:
          - dev-us-east-1
          - nonprod-us-east-1

jobs:
  deploy:
    uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
    with:
      aide-id: '<change me>'
      team-name: '<change me>'
      cloud-type: 'azureOptum'
      domain: 'default'
      environment: ${{ inputs.environment }}
      terraform-directory: './tf'
      backend-type: 'azurerm'
      azurerm-backend-resource-group-name: 'tfstate-rg'
      azurerm-backend-storage-account-name: 'tfstatestorage'
      azurerm-backend-container-name: 'tfstate'
      pcam-role: 'contributor'
      runner-labels: "uhg-runner"
    secrets:
      GH_TOKEN: ${{ secrets.GH_TOKEN }}

Multi-Environment Deployment with tfvars

name: Deploy with Environment-Specific Variables
on:
  workflow_dispatch:
    inputs:
      environment:
        type: choice
        options:
          - dev-us-east-1
          - nonprod-us-east-1

jobs:
  deploy:
    uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
    with:
      aide-id: '<change me>'
      team-name: '<change me>'
      cloud-type: 'awsOptum'
      domain: 'default'
      environment: ${{ inputs.environment }}
      terraform-directory: './tf'
      terraform-vars-files: "tfvars/${{ inputs.environment }}.tfvars,tfvars/common.tfvars"
      terraform-vars-values: '{"project_name":"myproject","region":"us-east-1"}'
      runner-labels: "uhg-runner"
    secrets:
      GH_TOKEN: ${{ secrets.GH_TOKEN }}

With PRM Secrets Integration

name: Deploy with PRM Secrets
on:
  workflow_dispatch:
    inputs:
      environment:
        type: choice
        options:
          - dev-us-east-1
          - prod-us-east-1

jobs:
  deploy:
    uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
    with:
      aide-id: '<change me>'
      team-name: '<change me>'
      cloud-type: 'awsOptum'
      domain: 'default'
      environment: ${{ inputs.environment }}
      terraform-directory: './tf'
      terraform-prm-secrets: "DB_PASSWORD,API_KEY,SERVICE_TOKEN"
      prm-base-url: "https://prm.optum.com"
      runner-labels: "uhg-runner"
    secrets:
      GH_TOKEN: ${{ secrets.GH_TOKEN }}

With End-to-End Tests

name: Deploy and Test Infrastructure
on:
  workflow_dispatch:
    inputs:
      environment:
        type: choice
        options: [dev-us-east-1]

jobs:
  deploy:
    uses: dojo360/pipelines-workflows/.github/workflows/[email protected]
    with:
      aide-id: '<change me>'
      team-name: '<change me>'
      cloud-type: 'awsOptum'
      domain: 'default'
      environment: ${{ inputs.environment }}
      terraform-directory: './tf'
      e2e-tests-enabled: true
      e2e-workflow-file: '.github/workflows/e2e-tests.yml'
      e2e-workflow-inputs: '{"test_suite":"smoke","timeout":"300"}'
      runner-labels: "uhg-runner"
    secrets:
      GH_TOKEN: ${{ secrets.GH_TOKEN }}

Cloud-Type Specific Configurations

awsOptum (AWS with OIDC)

  • Authentication: OIDC via GitHub Actions
  • Runners: Automatically selected based on metadata
  • Prerequisites: OIDC configured in AWS IAM
  • Terraform Modules: Must use Dojo360 AWS Modules°

awsChc20 (AWS with Instance Profile)

  • Authentication: Instance Profile from runners
  • Runners: Specific CHC runners with AWS credentials
  • Prerequisites: Runner with AWS access configured
  • Terraform Modules: Must use Dojo360 AWS Modules°

azureOptum (Azure with OIDC)

  • Authentication: OIDC via GitHub Actions
  • Runners: Automatically selected
  • Prerequisites: OIDC configured in Azure AD
  • Terraform Modules: Must use Dojo360 Azure Modules°

Requirements

  • Terraform: ~> 1.9.x (configurable via terraform-version)
  • AWS Provider: ~> 5.xx (for AWS operations)
  • Azure Provider: ~> 3.xx (for Azure operations)
  • GCP Provider: ~> 6.xx (for GCP operations)

Project Structure

your-repo/
├── .github/
│   └── workflows/
│       └── infra-creation.yml    # This workflow file
├── tf/                            # Terraform code directory
│   ├── main.tf
│   ├── variables.tf
│   ├── outputs.tf
│   └── tfvars/
│       ├── dev.tfvars
│       ├── nonprod.tfvars
│       └── prod.tfvars
└── README.md

Best Practices

  1. Version Pinning: Use specific workflow versions (@v2.0.0) instead of @beta in production
  2. Environment Protection: Configure GitHub environment protection rules for production deployments
  3. State Management: Always use remote state with appropriate locking mechanisms
  4. Secrets Security: Never hardcode secrets; use PRM, Volcan, or Terraform Enterprise
  5. tfvars Organization: Maintain separate tfvars files per environment for clarity
  6. Runner Selection: Use appropriate runner labels based on cloud-type and security requirements
  7. Plan Review: Enable comment-on-pr for pull request-based deployments to review plans
  8. Terraform Version: Pin to tested Terraform versions to ensure consistency

Troubleshooting

Common Issues

  1. Authentication Failures

    • Verify OIDC configuration for cloud provider
    • Check GitHub secrets are properly configured
    • Ensure runner has appropriate permissions
  2. State Lock Issues

    • Use terraform-ops workflow to force unlock if needed
    • Verify backend configuration is correct
    • Check state file permissions
  3. Metadata Errors

    • Confirm AIDE ID is correct and onboarded
    • Verify team-name matches metadata
    • Check cloud-type is supported
  4. Runner Issues

    • Verify runner-labels match available runners
    • Check runner has required cloud provider access
    • Ensure runner has Terraform and provider tools installed

Related Workflows

  • Infrastructure Promotion: infrastructure-promotion.yml - Multi-environment promotion workflow
  • Terraform Destroy: destroy.yml - Resource destruction workflow
  • Terraform Ops: terraform-ops.yml - State management operations

Support & Documentation

Workflow Evolution

  • v1.x: Initial release with basic Terraform support
  • v2.0.0: Added SaaS Artifactory support, OIDC improvements
  • v2.1.0: Updated default Terraform provider mirror to Enterprise Registry (SaaS)

Note: This skill provides infrastructure deployment capabilities using enterprise-standard patterns for Optum's cloud environments. Always follow your organization's security and compliance guidelines when deploying infrastructure.

Related Assets