From d2f14ffd529ff607ff4faa99ae22e2aa7defdac0 Mon Sep 17 00:00:00 2001
From: Lev Gorbunov <lev.gorbunov@justice.gov.uk>
Date: Mon, 11 May 2026 13:32:02 +0100
Subject: [PATCH 01/10] add tag validaiton workflow

---
 .github/workflows/validate-tags.yml | 101 ++++++++++++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 .github/workflows/validate-tags.yml

diff --git a/.github/workflows/validate-tags.yml b/.github/workflows/validate-tags.yml
new file mode 100644
index 00000000000..9b36d794a33
--- /dev/null
+++ b/.github/workflows/validate-tags.yml
@@ -0,0 +1,101 @@
+name: Validate Tags
+
+on:
+  pull_request:
+    paths:
+      - 'namespaces/*/*/resources/*.tf'
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  get-changed-files:
+    name: Get changed files
+    runs-on: ubuntu-latest
+    outputs:
+      skip_validate_tags: ${{ steps.changed-files.outputs.skip_validate_tags }}
+      namespaces: ${{ steps.changed-files.outputs.namespaces }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Get changed files
+        id: changed-files
+        shell: bash
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            git fetch origin "${{ github.base_ref }}"
+            CHANGED_FILES=$(git diff --name-only "origin/${{ github.base_ref }}...${{ github.sha }}")
+          else
+            CHANGED_FILES=""
+          fi
+
+          echo "Changed files:"
+          echo "$CHANGED_FILES"
+
+          TF_FILES=$(echo "$CHANGED_FILES" | grep -E '^namespaces/[^/]+/[^/]+/resources/[^/]+\.tf$' || true)
+
+          if [[ -z "$TF_FILES" ]]; then
+            echo "No matching Terraform files changed. Skipping tag validation."
+            echo "skip_validate_tags=true" >> "$GITHUB_OUTPUT"
+            echo 'namespaces=[]' >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          AFFECTED_NAMESPACES=$(echo "$TF_FILES" \
+            | sed -E 's#^(namespaces/[^/]+/[^/]+/resources)/[^/]+\.tf$#\1#' \
+            | sort -u)
+
+          EXISTING_NAMESPACES=""
+          while IFS= read -r ns; do
+            if [[ -d "$ns" ]]; then
+              EXISTING_NAMESPACES="${EXISTING_NAMESPACES}${ns}"$'\n'
+            fi
+          done <<< "$AFFECTED_NAMESPACES"
+
+          EXISTING_NAMESPACES=$(echo "$EXISTING_NAMESPACES" | sed '/^$/d' | sort -u)
+
+          if [[ -z "$EXISTING_NAMESPACES" ]]; then
+            echo "No relevant namespaces changed. Skipping tag validation."
+            echo "skip_validate_tags=true" >> "$GITHUB_OUTPUT"
+            echo 'namespaces=[]' >> "$GITHUB_OUTPUT"
+          else
+            NAMESPACES_JSON=$(echo "$EXISTING_NAMESPACES" | jq -R . | jq -s -c .)
+
+            echo "Namespaces to validate:"
+            echo "$EXISTING_NAMESPACES"
+
+            echo "skip_validate_tags=false" >> "$GITHUB_OUTPUT"
+            echo "namespaces=$NAMESPACES_JSON" >> "$GITHUB_OUTPUT"
+          fi
+  
+  validate-tags:
+    name: Tag Validation
+    needs: get-changed-files
+    if: ${{ needs.get-changed-files.outputs.skip_validate_tags != 'true' }}
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        path: ${{ fromJson(needs.get-changed-files.outputs.namespaces) }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # # Required if data blocks used in terraform configuration, for AWS read operations
+      # - name: Configure AWS Credentials
+      #   uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37  # v6.1.0
+      #   with:
+      #     role-to-assume: "arn:aws:iam::111111111111:role/my-read-only-role"
+      #     role-session-name: "myrolesessionname"
+      #     aws-region: "eu-west-2"
+          
+      - name: Validate Tags
+        if: ${{ steps.changed-files.outputs.skip_tflint != 'true' }}
+        id: validate
+        uses: ministryofjustice/coat-tag-validator@37cca54b0e16536130d99bdf184cafd8bf2b71ae #v2.1.3
+        with:
+          terraform_directory:  ${{ matrix.path }}
+          soft_fail: false
\ No newline at end of file

From d43401792e1e92bdbb8c25e3aaed2b3546606491 Mon Sep 17 00:00:00 2001
From: Lev Gorbunov <lev.gorbunov@justice.gov.uk>
Date: Mon, 11 May 2026 13:36:02 +0100
Subject: [PATCH 02/10] push test change to terraform

---
 .../github-community-dev/resources/variables.tf                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/github-community-dev/resources/variables.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/github-community-dev/resources/variables.tf
index d65148789ff..756442ff661 100644
--- a/namespaces/live.cloud-platform.service.justice.gov.uk/github-community-dev/resources/variables.tf
+++ b/namespaces/live.cloud-platform.service.justice.gov.uk/github-community-dev/resources/variables.tf
@@ -11,7 +11,7 @@ variable "kubernetes_cluster" {
 variable "application" {
   description = "Name of the application you are deploying"
   type        = string
-  default     = "github-community"
+  default     = "github-community-dev"
 }
 
 variable "namespace" {

From 2cd5c671907360fce5f73ad1b832cdcb54ec8401 Mon Sep 17 00:00:00 2001
From: Lev Gorbunov <lev.gorbunov@justice.gov.uk>
Date: Mon, 11 May 2026 13:51:16 +0100
Subject: [PATCH 03/10] set mock terraform variables

---
 .github/workflows/validate-tags.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/validate-tags.yml b/.github/workflows/validate-tags.yml
index 9b36d794a33..d371d0519d2 100644
--- a/.github/workflows/validate-tags.yml
+++ b/.github/workflows/validate-tags.yml
@@ -91,6 +91,12 @@ jobs:
       #     role-to-assume: "arn:aws:iam::111111111111:role/my-read-only-role"
       #     role-session-name: "myrolesessionname"
       #     aws-region: "eu-west-2"
+
+      - name: Set mock terraform vars
+        run: |
+          echo "TF_VAR_vpc_name=XIHIUHIU-1" >> "$GITHUB_ENV"
+          echo "TF_VAR_eks_cluster_name=XIHIUHIU" >> "$GITHUB_ENV"
+          echo "TF_VAR_kubernetes_cluster="XIHIUHIU.eks.amazonaws.com"" >> "$GITHUB_ENV"
           
       - name: Validate Tags
         if: ${{ steps.changed-files.outputs.skip_tflint != 'true' }}

From 6e299df5fa56a86ab8c75d846d1f6d6ba22409b9 Mon Sep 17 00:00:00 2001
From: Lev Gorbunov <lev.gorbunov@justice.gov.uk>
Date: Mon, 11 May 2026 13:56:55 +0100
Subject: [PATCH 04/10] set dummy aws creds for terraform plan

---
 .github/workflows/validate-tags.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/validate-tags.yml b/.github/workflows/validate-tags.yml
index d371d0519d2..d28fb2abe81 100644
--- a/.github/workflows/validate-tags.yml
+++ b/.github/workflows/validate-tags.yml
@@ -100,6 +100,10 @@ jobs:
           
       - name: Validate Tags
         if: ${{ steps.changed-files.outputs.skip_tflint != 'true' }}
+        env:
+          AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE"
+          AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+          AWS_DEFAULT_REGION: "eu-west-2"
         id: validate
         uses: ministryofjustice/coat-tag-validator@37cca54b0e16536130d99bdf184cafd8bf2b71ae #v2.1.3
         with:

From 71da81852825ea6ae73abd1b49bf88ee48c5227d Mon Sep 17 00:00:00 2001
From: Lev Gorbunov <lev.gorbunov@justice.gov.uk>
Date: Mon, 11 May 2026 13:59:54 +0100
Subject: [PATCH 05/10] configure aws credentials

---
 .github/workflows/validate-tags.yml | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/validate-tags.yml b/.github/workflows/validate-tags.yml
index d28fb2abe81..7a85ae78d09 100644
--- a/.github/workflows/validate-tags.yml
+++ b/.github/workflows/validate-tags.yml
@@ -84,13 +84,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      # # Required if data blocks used in terraform configuration, for AWS read operations
-      # - name: Configure AWS Credentials
-      #   uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37  # v6.1.0
-      #   with:
-      #     role-to-assume: "arn:aws:iam::111111111111:role/my-read-only-role"
-      #     role-session-name: "myrolesessionname"
-      #     aws-region: "eu-west-2"
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37  # v6.1.0
+        with:
+          role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }}
+          aws-region: ${{ vars.ECR_REGION }}
 
       - name: Set mock terraform vars
         run: |
@@ -100,10 +98,6 @@ jobs:
           
       - name: Validate Tags
         if: ${{ steps.changed-files.outputs.skip_tflint != 'true' }}
-        env:
-          AWS_ACCESS_KEY_ID: "AKIAIOSFODNN7EXAMPLE"
-          AWS_SECRET_ACCESS_KEY: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
-          AWS_DEFAULT_REGION: "eu-west-2"
         id: validate
         uses: ministryofjustice/coat-tag-validator@37cca54b0e16536130d99bdf184cafd8bf2b71ae #v2.1.3
         with:

From 5275da414a74d0b44065ff4eb3b69f347b19da7d Mon Sep 17 00:00:00 2001
From: Lev Gorbunov <lev.gorbunov@justice.gov.uk>
Date: Mon, 11 May 2026 14:01:53 +0100
Subject: [PATCH 06/10] use older aws configure creds step

---
 .github/workflows/validate-tags.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/validate-tags.yml b/.github/workflows/validate-tags.yml
index 7a85ae78d09..71655787e17 100644
--- a/.github/workflows/validate-tags.yml
+++ b/.github/workflows/validate-tags.yml
@@ -84,8 +84,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37  # v6.1.0
+      - uses: aws-actions/configure-aws-credentials@v2
         with:
           role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }}
           aws-region: ${{ vars.ECR_REGION }}

From 0a0391a883c89ef83c44a49336c7d2b8d5a20bc3 Mon Sep 17 00:00:00 2001
From: Lev Gorbunov <lev.gorbunov@justice.gov.uk>
Date: Mon, 11 May 2026 14:05:11 +0100
Subject: [PATCH 07/10] bump aws configure creds version and hardcode aws
 region

---
 .github/workflows/validate-tags.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/validate-tags.yml b/.github/workflows/validate-tags.yml
index 71655787e17..a496357400b 100644
--- a/.github/workflows/validate-tags.yml
+++ b/.github/workflows/validate-tags.yml
@@ -84,10 +84,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: aws-actions/configure-aws-credentials@v2
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37  # v6.1.0
         with:
           role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }}
-          aws-region: ${{ vars.ECR_REGION }}
+          aws-region: "eu-west-2"
 
       - name: Set mock terraform vars
         run: |

From c5eadce29380fac0b116c855f857f34c79fa6c2c Mon Sep 17 00:00:00 2001
From: Lev Gorbunov <lev.gorbunov@justice.gov.uk>
Date: Mon, 11 May 2026 14:10:06 +0100
Subject: [PATCH 08/10] update step name

---
 .github/workflows/validate-tags.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/validate-tags.yml b/.github/workflows/validate-tags.yml
index a496357400b..f846cc985ca 100644
--- a/.github/workflows/validate-tags.yml
+++ b/.github/workflows/validate-tags.yml
@@ -90,7 +90,7 @@ jobs:
           role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }}
           aws-region: "eu-west-2"
 
-      - name: Set mock terraform vars
+      - name: Set mock default terraform vars
         run: |
           echo "TF_VAR_vpc_name=XIHIUHIU-1" >> "$GITHUB_ENV"
           echo "TF_VAR_eks_cluster_name=XIHIUHIU" >> "$GITHUB_ENV"

From 4efbd9019f2d62679e8b23c274e0c20c975f2591 Mon Sep 17 00:00:00 2001
From: Lev Gorbunov <lev.gorbunov@justice.gov.uk>
Date: Mon, 11 May 2026 14:19:04 +0100
Subject: [PATCH 09/10] add skeleton configure aws creds step

---
 .github/workflows/validate-tags.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/validate-tags.yml b/.github/workflows/validate-tags.yml
index f846cc985ca..115eb472c95 100644
--- a/.github/workflows/validate-tags.yml
+++ b/.github/workflows/validate-tags.yml
@@ -87,7 +87,8 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37  # v6.1.0
         with:
-          role-to-assume: ${{ secrets.ECR_ROLE_TO_ASSUME }}
+          role-to-assume: "arn:aws:iam::111111111111:role/my-read-only-role"
+          role-session-name: "myrolesessionname"
           aws-region: "eu-west-2"
 
       - name: Set mock default terraform vars

From 84633b659905473ca381fed7a33b4137510f8d2c Mon Sep 17 00:00:00 2001
From: Lev Gorbunov <lev.gorbunov@justice.gov.uk>
Date: Mon, 11 May 2026 14:31:09 +0100
Subject: [PATCH 10/10] remove uneeded perms

---
 .github/workflows/validate-tags.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/validate-tags.yml b/.github/workflows/validate-tags.yml
index 115eb472c95..e313b0702bb 100644
--- a/.github/workflows/validate-tags.yml
+++ b/.github/workflows/validate-tags.yml
@@ -7,7 +7,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
   get-changed-files: