Example: COAT tag validation action integration by levgorbunov1 · Pull Request #42383 · ministryofjustice/cloud-platform-environments

Lev Gorbunov (levgorbunov1) · 2026-05-11T12:32:30Z

An example of how to integrate the coat tag validator tool (https://github.com/ministryofjustice/coat-tag-validator) into the cloud-platform-environments repository, to enable validation of terraform tags for namespaces pre-deployment.
A terraform plan AWS role is required to successfully run the plan: https://github.com/ministryofjustice/cloud-platform-environments/actions/runs/25671525262/job/75357828198#step:4:350

Sablu M (sablumiah) · 2026-05-11T12:36:32Z

Terraform Plan Summary

Terraform Plan: 2 to be created, 0 to be destroyed, 1 to be updated, 0 to be replaced and 32 unchanged.

Resources to create:

+ module.ecr-repo.github_actions_secret.ecr_registry_url["github-community"]
+ module.serviceaccount.github_actions_secret.cluster-name["github-community"]

Resources to update:

! module.rds.aws_db_parameter_group.custom_parameters

Sablu M (sablumiah) · 2026-05-11T12:37:38Z

This PR CANNOT be auto approved and requires manual approval from the Cloud Platform team.
Reason:
🕵️‍♂️ Manual review required: OPA auto approve policy checks did not pass.

Test	Passed?	Reason
allowlist	❌	This PR includes changes to modules / resources which are not on the allowlist, so we can't auto approve these changes. Please request a Cloud Platform team member's review in #ask-cloud-platform
ecr	✅	Valid ECR related terraform changes
hmpps-template	✅	Valid hmpps template related terraform changes
irsa	✅	Valid irsa related terraform changes
kubernetes_secret	✅	Valid K8s secret related terraform changes
rds	✅	Valid RDS module related terraform changes
secrets_manager	✅	Valid secrets manager related terraform changes
service_pod	✅	Valid Service pod related changes
sns	✅	Valid sns related terraform changes

Please raise it in #ask-cloud-platform Slack channel.

Sablu M (sablumiah) · 2026-05-11T12:40:01Z

Terraform Plan Summary

Terraform Plan: 2 to be created, 0 to be destroyed, 10 to be updated, 0 to be replaced and 23 unchanged.

Resources to create:

+ module.ecr-repo.github_actions_secret.ecr_registry_url["github-community"]
+ module.serviceaccount.github_actions_secret.cluster-name["github-community"]

Resources to update:

! aws_route53_zone.route53_zone
! module.ecr-repo.aws_ecr_repository.repo
! module.ecr-repo.aws_iam_policy.ecr[0]
! module.ecr-repo.aws_iam_role.github[0]
! module.irsa.module.iam_assumable_role.aws_iam_role.this[0]
! module.rds.aws_db_instance.rds
! module.rds.aws_db_parameter_group.custom_parameters
! module.rds.aws_db_subnet_group.db_subnet[0]
! module.rds.aws_iam_policy.irsa[0]
! module.rds.aws_kms_key.kms[0]

Sablu M (sablumiah) · 2026-05-11T12:41:08Z

This PR CANNOT be auto approved and requires manual approval from the Cloud Platform team.
Reason:
🕵️‍♂️ Manual review required: OPA auto approve policy checks did not pass.

Test	Passed?	Reason
allowlist	❌	This PR includes changes to modules / resources which are not on the allowlist, so we can't auto approve these changes. Please request a Cloud Platform team member's review in #ask-cloud-platform
ecr	✅	Valid ECR related terraform changes
hmpps-template	✅	Valid hmpps template related terraform changes
irsa	✅	Valid irsa related terraform changes
kubernetes_secret	✅	Valid K8s secret related terraform changes
rds	✅	Valid RDS module related terraform changes
secrets_manager	✅	Valid secrets manager related terraform changes
service_pod	✅	Valid Service pod related changes
sns	✅	Valid sns related terraform changes

Please raise it in #ask-cloud-platform Slack channel.

Sablu M (sablumiah) · 2026-05-11T12:53:45Z

Terraform Plan Summary

Terraform Plan: 2 to be created, 0 to be destroyed, 10 to be updated, 0 to be replaced and 23 unchanged.

Resources to create:

+ module.ecr-repo.github_actions_secret.ecr_registry_url["github-community"]
+ module.serviceaccount.github_actions_secret.cluster-name["github-community"]

Resources to update:

! aws_route53_zone.route53_zone
! module.ecr-repo.aws_ecr_repository.repo
! module.ecr-repo.aws_iam_policy.ecr[0]
! module.ecr-repo.aws_iam_role.github[0]
! module.irsa.module.iam_assumable_role.aws_iam_role.this[0]
! module.rds.aws_db_instance.rds
! module.rds.aws_db_parameter_group.custom_parameters
! module.rds.aws_db_subnet_group.db_subnet[0]
! module.rds.aws_iam_policy.irsa[0]
! module.rds.aws_kms_key.kms[0]

Sablu M (sablumiah) · 2026-05-11T12:54:52Z

This PR CANNOT be auto approved and requires manual approval from the Cloud Platform team.
Reason:
🕵️‍♂️ Manual review required: OPA auto approve policy checks did not pass.

Test	Passed?	Reason
allowlist	❌	This PR includes changes to modules / resources which are not on the allowlist, so we can't auto approve these changes. Please request a Cloud Platform team member's review in #ask-cloud-platform
ecr	✅	Valid ECR related terraform changes
hmpps-template	✅	Valid hmpps template related terraform changes
irsa	✅	Valid irsa related terraform changes
kubernetes_secret	✅	Valid K8s secret related terraform changes
rds	✅	Valid RDS module related terraform changes
secrets_manager	✅	Valid secrets manager related terraform changes
service_pod	✅	Valid Service pod related changes
sns	✅	Valid sns related terraform changes

Please raise it in #ask-cloud-platform Slack channel.

Sablu M (sablumiah) · 2026-05-11T13:00:51Z

Terraform Plan Summary

Terraform Plan: 2 to be created, 0 to be destroyed, 10 to be updated, 0 to be replaced and 23 unchanged.

Resources to create:

+ module.ecr-repo.github_actions_secret.ecr_registry_url["github-community"]
+ module.serviceaccount.github_actions_secret.cluster-name["github-community"]

Resources to update:

! aws_route53_zone.route53_zone
! module.ecr-repo.aws_ecr_repository.repo
! module.ecr-repo.aws_iam_policy.ecr[0]
! module.ecr-repo.aws_iam_role.github[0]
! module.irsa.module.iam_assumable_role.aws_iam_role.this[0]
! module.rds.aws_db_instance.rds
! module.rds.aws_db_parameter_group.custom_parameters
! module.rds.aws_db_subnet_group.db_subnet[0]
! module.rds.aws_iam_policy.irsa[0]
! module.rds.aws_kms_key.kms[0]

Sablu M (sablumiah) · 2026-05-11T13:01:57Z

This PR CANNOT be auto approved and requires manual approval from the Cloud Platform team.
Reason:
🕵️‍♂️ Manual review required: OPA auto approve policy checks did not pass.

Test	Passed?	Reason
allowlist	❌	This PR includes changes to modules / resources which are not on the allowlist, so we can't auto approve these changes. Please request a Cloud Platform team member's review in #ask-cloud-platform
ecr	✅	Valid ECR related terraform changes
hmpps-template	✅	Valid hmpps template related terraform changes
irsa	✅	Valid irsa related terraform changes
kubernetes_secret	✅	Valid K8s secret related terraform changes
rds	✅	Valid RDS module related terraform changes
secrets_manager	✅	Valid secrets manager related terraform changes
service_pod	✅	Valid Service pod related changes
sns	✅	Valid sns related terraform changes

Please raise it in #ask-cloud-platform Slack channel.

Sablu M (sablumiah) · 2026-05-11T13:04:12Z

Terraform Plan Summary

Terraform Plan: 2 to be created, 0 to be destroyed, 10 to be updated, 0 to be replaced and 23 unchanged.

Resources to create:

+ module.ecr-repo.github_actions_secret.ecr_registry_url["github-community"]
+ module.serviceaccount.github_actions_secret.cluster-name["github-community"]

Resources to update:

! aws_route53_zone.route53_zone
! module.ecr-repo.aws_ecr_repository.repo
! module.ecr-repo.aws_iam_policy.ecr[0]
! module.ecr-repo.aws_iam_role.github[0]
! module.irsa.module.iam_assumable_role.aws_iam_role.this[0]
! module.rds.aws_db_instance.rds
! module.rds.aws_db_parameter_group.custom_parameters
! module.rds.aws_db_subnet_group.db_subnet[0]
! module.rds.aws_iam_policy.irsa[0]
! module.rds.aws_kms_key.kms[0]

Sablu M (sablumiah) · 2026-05-11T13:05:19Z

This PR CANNOT be auto approved and requires manual approval from the Cloud Platform team.
Reason:
🕵️‍♂️ Manual review required: OPA auto approve policy checks did not pass.

Test	Passed?	Reason
allowlist	❌	This PR includes changes to modules / resources which are not on the allowlist, so we can't auto approve these changes. Please request a Cloud Platform team member's review in #ask-cloud-platform
ecr	✅	Valid ECR related terraform changes
hmpps-template	✅	Valid hmpps template related terraform changes
irsa	✅	Valid irsa related terraform changes
kubernetes_secret	✅	Valid K8s secret related terraform changes
rds	✅	Valid RDS module related terraform changes
secrets_manager	✅	Valid secrets manager related terraform changes
service_pod	✅	Valid Service pod related changes
sns	✅	Valid sns related terraform changes

Please raise it in #ask-cloud-platform Slack channel.

Sablu M (sablumiah) · 2026-05-11T13:07:38Z

Terraform Plan Summary

Terraform Plan: 2 to be created, 0 to be destroyed, 10 to be updated, 0 to be replaced and 23 unchanged.

Resources to create:

+ module.ecr-repo.github_actions_secret.ecr_registry_url["github-community"]
+ module.serviceaccount.github_actions_secret.cluster-name["github-community"]

Resources to update:

! aws_route53_zone.route53_zone
! module.ecr-repo.aws_ecr_repository.repo
! module.ecr-repo.aws_iam_policy.ecr[0]
! module.ecr-repo.aws_iam_role.github[0]
! module.irsa.module.iam_assumable_role.aws_iam_role.this[0]
! module.rds.aws_db_instance.rds
! module.rds.aws_db_parameter_group.custom_parameters
! module.rds.aws_db_subnet_group.db_subnet[0]
! module.rds.aws_iam_policy.irsa[0]
! module.rds.aws_kms_key.kms[0]

Sablu M (sablumiah) · 2026-05-11T13:08:45Z

This PR CANNOT be auto approved and requires manual approval from the Cloud Platform team.
Reason:
🕵️‍♂️ Manual review required: OPA auto approve policy checks did not pass.

Test	Passed?	Reason
allowlist	❌	This PR includes changes to modules / resources which are not on the allowlist, so we can't auto approve these changes. Please request a Cloud Platform team member's review in #ask-cloud-platform
ecr	✅	Valid ECR related terraform changes
hmpps-template	✅	Valid hmpps template related terraform changes
irsa	✅	Valid irsa related terraform changes
kubernetes_secret	✅	Valid K8s secret related terraform changes
rds	✅	Valid RDS module related terraform changes
secrets_manager	✅	Valid secrets manager related terraform changes
service_pod	✅	Valid Service pod related changes
sns	✅	Valid sns related terraform changes

Please raise it in #ask-cloud-platform Slack channel.

Sablu M (sablumiah) · 2026-05-11T13:10:25Z

Terraform Plan Summary

Terraform Plan: 2 to be created, 0 to be destroyed, 10 to be updated, 0 to be replaced and 23 unchanged.

Resources to create:

+ module.ecr-repo.github_actions_secret.ecr_registry_url["github-community"]
+ module.serviceaccount.github_actions_secret.cluster-name["github-community"]

Resources to update:

! aws_route53_zone.route53_zone
! module.ecr-repo.aws_ecr_repository.repo
! module.ecr-repo.aws_iam_policy.ecr[0]
! module.ecr-repo.aws_iam_role.github[0]
! module.irsa.module.iam_assumable_role.aws_iam_role.this[0]
! module.rds.aws_db_instance.rds
! module.rds.aws_db_parameter_group.custom_parameters
! module.rds.aws_db_subnet_group.db_subnet[0]
! module.rds.aws_iam_policy.irsa[0]
! module.rds.aws_kms_key.kms[0]

Sablu M (sablumiah) · 2026-05-11T13:11:33Z

This PR CANNOT be auto approved and requires manual approval from the Cloud Platform team.
Reason:
🕵️‍♂️ Manual review required: OPA auto approve policy checks did not pass.

Test	Passed?	Reason
allowlist	❌	This PR includes changes to modules / resources which are not on the allowlist, so we can't auto approve these changes. Please request a Cloud Platform team member's review in #ask-cloud-platform
ecr	✅	Valid ECR related terraform changes
hmpps-template	✅	Valid hmpps template related terraform changes
irsa	✅	Valid irsa related terraform changes
kubernetes_secret	✅	Valid K8s secret related terraform changes
rds	✅	Valid RDS module related terraform changes
secrets_manager	✅	Valid secrets manager related terraform changes
service_pod	✅	Valid Service pod related changes
sns	✅	Valid sns related terraform changes

Please raise it in #ask-cloud-platform Slack channel.

Sablu M (sablumiah) · 2026-05-11T13:16:55Z

Terraform Plan Summary

Terraform Plan: 2 to be created, 0 to be destroyed, 10 to be updated, 0 to be replaced and 23 unchanged.

Resources to create:

+ module.ecr-repo.github_actions_secret.ecr_registry_url["github-community"]
+ module.serviceaccount.github_actions_secret.cluster-name["github-community"]

Resources to update:

! aws_route53_zone.route53_zone
! module.ecr-repo.aws_ecr_repository.repo
! module.ecr-repo.aws_iam_policy.ecr[0]
! module.ecr-repo.aws_iam_role.github[0]
! module.irsa.module.iam_assumable_role.aws_iam_role.this[0]
! module.rds.aws_db_instance.rds
! module.rds.aws_db_parameter_group.custom_parameters
! module.rds.aws_db_subnet_group.db_subnet[0]
! module.rds.aws_iam_policy.irsa[0]
! module.rds.aws_kms_key.kms[0]

Sablu M (sablumiah) · 2026-05-11T13:18:02Z

This PR CANNOT be auto approved and requires manual approval from the Cloud Platform team.
Reason:
🕵️‍♂️ Manual review required: OPA auto approve policy checks did not pass.

Test	Passed?	Reason
allowlist	❌	This PR includes changes to modules / resources which are not on the allowlist, so we can't auto approve these changes. Please request a Cloud Platform team member's review in #ask-cloud-platform
ecr	✅	Valid ECR related terraform changes
hmpps-template	✅	Valid hmpps template related terraform changes
irsa	✅	Valid irsa related terraform changes
kubernetes_secret	✅	Valid K8s secret related terraform changes
rds	✅	Valid RDS module related terraform changes
secrets_manager	✅	Valid secrets manager related terraform changes
service_pod	✅	Valid Service pod related changes
sns	✅	Valid sns related terraform changes

Please raise it in #ask-cloud-platform Slack channel.

Sablu M (sablumiah) · 2026-05-11T13:26:14Z

Terraform Plan Summary

Terraform Plan: 2 to be created, 0 to be destroyed, 10 to be updated, 0 to be replaced and 23 unchanged.

Resources to create:

+ module.ecr-repo.github_actions_secret.ecr_registry_url["github-community"]
+ module.serviceaccount.github_actions_secret.cluster-name["github-community"]

Resources to update:

! aws_route53_zone.route53_zone
! module.ecr-repo.aws_ecr_repository.repo
! module.ecr-repo.aws_iam_policy.ecr[0]
! module.ecr-repo.aws_iam_role.github[0]
! module.irsa.module.iam_assumable_role.aws_iam_role.this[0]
! module.rds.aws_db_instance.rds
! module.rds.aws_db_parameter_group.custom_parameters
! module.rds.aws_db_subnet_group.db_subnet[0]
! module.rds.aws_iam_policy.irsa[0]
! module.rds.aws_kms_key.kms[0]

Sablu M (sablumiah) · 2026-05-11T13:27:21Z

This PR CANNOT be auto approved and requires manual approval from the Cloud Platform team.
Reason:
🕵️‍♂️ Manual review required: OPA auto approve policy checks did not pass.

Test	Passed?	Reason
allowlist	❌	This PR includes changes to modules / resources which are not on the allowlist, so we can't auto approve these changes. Please request a Cloud Platform team member's review in #ask-cloud-platform
ecr	✅	Valid ECR related terraform changes
hmpps-template	✅	Valid hmpps template related terraform changes
irsa	✅	Valid irsa related terraform changes
kubernetes_secret	✅	Valid K8s secret related terraform changes
rds	✅	Valid RDS module related terraform changes
secrets_manager	✅	Valid secrets manager related terraform changes
service_pod	✅	Valid Service pod related changes
sns	✅	Valid sns related terraform changes

Please raise it in #ask-cloud-platform Slack channel.

Sablu M (sablumiah) · 2026-05-11T13:35:21Z

Terraform Plan Summary

Terraform Plan: 2 to be created, 0 to be destroyed, 10 to be updated, 0 to be replaced and 23 unchanged.

Resources to create:

+ module.ecr-repo.github_actions_secret.ecr_registry_url["github-community"]
+ module.serviceaccount.github_actions_secret.cluster-name["github-community"]

Resources to update:

! aws_route53_zone.route53_zone
! module.ecr-repo.aws_ecr_repository.repo
! module.ecr-repo.aws_iam_policy.ecr[0]
! module.ecr-repo.aws_iam_role.github[0]
! module.irsa.module.iam_assumable_role.aws_iam_role.this[0]
! module.rds.aws_db_instance.rds
! module.rds.aws_db_parameter_group.custom_parameters
! module.rds.aws_db_subnet_group.db_subnet[0]
! module.rds.aws_iam_policy.irsa[0]
! module.rds.aws_kms_key.kms[0]

Sablu M (sablumiah) · 2026-05-11T13:36:28Z

This PR CANNOT be auto approved and requires manual approval from the Cloud Platform team.
Reason:
🕵️‍♂️ Manual review required: OPA auto approve policy checks did not pass.

Test	Passed?	Reason
allowlist	❌	This PR includes changes to modules / resources which are not on the allowlist, so we can't auto approve these changes. Please request a Cloud Platform team member's review in #ask-cloud-platform
ecr	✅	Valid ECR related terraform changes
hmpps-template	✅	Valid hmpps template related terraform changes
irsa	✅	Valid irsa related terraform changes
kubernetes_secret	✅	Valid K8s secret related terraform changes
rds	✅	Valid RDS module related terraform changes
secrets_manager	✅	Valid secrets manager related terraform changes
service_pod	✅	Valid Service pod related changes
sns	✅	Valid sns related terraform changes

Please raise it in #ask-cloud-platform Slack channel.

add tag validaiton workflow

d2f14ff

Lev Gorbunov (levgorbunov1) requested a review from a team as a code owner May 11, 2026 12:32

push test change to terraform

d434017

set mock terraform variables

2cd5c67

Lev Gorbunov (levgorbunov1) added 2 commits May 11, 2026 13:56

set dummy aws creds for terraform plan

6e299df

configure aws credentials

71da818

use older aws configure creds step

5275da4

bump aws configure creds version and hardcode aws region

0a0391a

update step name

c5eadce

add skeleton configure aws creds step

4efbd90

Lev Gorbunov (levgorbunov1) changed the title ~~Add coat tag validator workflow~~ Example: COAT tag validation action integration May 11, 2026

Lev Gorbunov (levgorbunov1) marked this pull request as draft May 11, 2026 13:27

remove uneeded perms

84633b6

Conversation

Lev Gorbunov (levgorbunov1) commented May 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Terraform Plan Summary

Resources to create:

Resources to update:

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Terraform Plan Summary

Resources to create:

Resources to update:

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Terraform Plan Summary

Resources to create:

Resources to update:

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Terraform Plan Summary

Resources to create:

Resources to update:

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Terraform Plan Summary

Resources to create:

Resources to update:

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Terraform Plan Summary

Resources to create:

Resources to update:

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Terraform Plan Summary

Resources to create:

Resources to update:

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Terraform Plan Summary

Resources to create:

Resources to update:

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Terraform Plan Summary

Resources to create:

Resources to update:

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Terraform Plan Summary

Resources to create:

Resources to update:

Uh oh!

Sablu M (sablumiah) commented May 11, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Lev Gorbunov (levgorbunov1) commented May 11, 2026 •

edited

Loading