feat: add IAM auth support (required for stack config templating as o…

…f atmos `1.18.2`) (#46)

* feat: add IAM auth support, which is required for stack config templating as of atmos 1.18.2

* Inject real role into workflow; remove condition and input.

* Use yq as part of atmos mock.

* Fix config for release install.

.github/workflows/test-matrix-2-levels.yml

@@ -7,6 +7,10 @@ on:
 #  pull_request: {}
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   setup:
     runs-on: ubuntu-latest
@@ -21,16 +25,30 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - shell: bash
+        run: |
+          mkdir -p ${{ runner.temp }}
+          cp ./tests/atmos.yaml ${{ runner.temp }}/atmos.yaml
+          sed -i -e 's#__PLAN_ROLE__#${{ secrets.TERRAFORM_PLAN_ROLE }}#g' ${{ runner.temp }}/atmos.yaml
 
       - name: add mock atmos to the path
         run: echo "./tests/fixtures" >> $GITHUB_PATH
 
+      - uses: cloudposse-github-actions/install-gh-releases@v1
+        with:
+          cache: true
+          config: |-
+            mikefarah/yq: v4.44.3
+
       - uses: ./
         id: current
         with:
           install-atmos: false
-          atmos-config-path: "./tests"
           nested-matrices-count: '2'
+          atmos-config-path: ${{ runner.temp }}
 
     outputs:
       affected: "${{ steps.current.outputs.affected }}"

.github/workflows/test-matrix-3-levels.yml

@@ -7,6 +7,10 @@ on:
 #  pull_request: {}
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   setup:
     runs-on: ubuntu-latest
@@ -21,16 +25,30 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - shell: bash
+        run: |
+          mkdir -p ${{ runner.temp }}
+          cp ./tests/atmos.yaml ${{ runner.temp }}/atmos.yaml
+          sed -i -e 's#__PLAN_ROLE__#${{ secrets.TERRAFORM_PLAN_ROLE }}#g' ${{ runner.temp }}/atmos.yaml
 
       - name: add mock atmos to the path
         run: echo "./tests/fixtures" >> $GITHUB_PATH
 
+      - uses: cloudposse-github-actions/install-gh-releases@v1
+        with:
+          cache: true
+          config: |-
+            mikefarah/yq: v4.44.3
+
       - uses: ./
         id: current
         with:
           install-atmos: false
-          atmos-config-path: "./tests"
           nested-matrices-count: '3'
+          atmos-config-path: ${{ runner.temp }}
 
     outputs:
       affected: "${{ steps.current.outputs.affected }}"

.github/workflows/test-no-changes.yml

@@ -7,6 +7,10 @@ on:
   # pull_request: {}
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   setup:
     runs-on: ubuntu-latest
@@ -21,12 +25,26 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - shell: bash
+        run: |
+          mkdir -p ${{ runner.temp }}
+          cp ./tests/atmos.yaml ${{ runner.temp }}/atmos.yaml
+          sed -i -e 's#__PLAN_ROLE__#${{ secrets.TERRAFORM_PLAN_ROLE }}#g' ${{ runner.temp }}/atmos.yaml
+
+      - uses: cloudposse-github-actions/install-gh-releases@v1
+        with:
+          cache: true
+          config: |-
+            mikefarah/yq: v4.44.3
 
       - uses: ./
         id: current
         with:
           install-atmos: true
-          atmos-config-path: "./tests"
+          atmos-config-path: ${{ runner.temp }}
 
     outputs:
       affected: "${{ steps.current.outputs.affected }}"

.github/workflows/test-positive.yml

@@ -7,6 +7,10 @@ on:
   # pull_request: {}
   workflow_dispatch: {}
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   setup:
     runs-on: ubuntu-latest
@@ -21,15 +25,29 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - shell: bash
+        run: |
+          mkdir -p ${{ runner.temp }}
+          cp ./tests/atmos.yaml ${{ runner.temp }}/atmos.yaml
+          sed -i -e 's#__PLAN_ROLE__#${{ secrets.TERRAFORM_PLAN_ROLE }}#g' ${{ runner.temp }}/atmos.yaml
 
       - name: add mock atmos to the path
         run: echo "./tests/fixtures" >> $GITHUB_PATH
 
+      - uses: cloudposse-github-actions/install-gh-releases@v1
+        with:
+          cache: true
+          config: |-
+            mikefarah/yq: v4.44.3
+
       - uses: ./
         id: current
         with:
           install-atmos: false
-          atmos-config-path: "./tests"
+          atmos-config-path: ${{ runner.temp }}
 
     outputs:
       affected: "${{ steps.current.outputs.affected }}"

action.yml

@@ -112,6 +112,8 @@ runs:
         echo "terraform-version=$(atmos describe config -f json | jq -r '.integrations.github.gitops["terraform-version"]')" >> $GITHUB_OUTPUT      
         echo "group-by=$(atmos describe config -f json | jq -r '.integrations.github.gitops.matrix["group-by"]')" >> $GITHUB_OUTPUT
         echo "sort-by=$(atmos describe config -f json | jq -r '.integrations.github.gitops.matrix["sort-by"]')" >> $GITHUB_OUTPUT
+        echo "aws-region=$(atmos describe config -f json | jq -r '.integrations.github.gitops["artifact-storage"].region')" >> $GITHUB_OUTPUT
+        echo "terraform-plan-role=$(atmos describe config -f json | jq -r '.integrations.github.gitops.role.plan')" >> $GITHUB_OUTPUT
 
     - name: Install Terraform
       if: ${{ steps.config.outputs.terraform-version != '' && steps.config.outputs.terraform-version != 'null' }}
@@ -143,6 +145,14 @@ runs:
       run: git checkout ${{ inputs.base-ref }}
       working-directory: base-ref
 
+    - name: Configure Plan AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4.0.2
+      with:
+        aws-region: ${{ steps.config.outputs.aws-region }}
+        role-to-assume: ${{ steps.config.outputs.terraform-plan-role }}
+        role-session-name: "atmos-terraform-plan-gitops"
+        mask-aws-account-id: "no"
+
     - name: atmos affected stacks for atmos pro
       id: affected-pro
       if: ${{ inputs.atmos-pro-upload == 'true' }}

tests/atmos.yaml

@@ -257,7 +257,7 @@ integrations:
         table: cptest-core-ue2-auto-gitops-plan-storage
         role: arn:aws:iam::xxxxxxxxxxxx:role/cptest-core-ue2-auto-gitops-gha
       role:
-        plan: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops
+        plan: __PLAN_ROLE__
         apply: arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops
       matrix:
         sort-by: .stack_slug

tests/fixtures/atmos

@@ -1,35 +1,4 @@
 #!/bin/bash
 
 cat "${GITHUB_ACTION_PATH}/tests/fixtures/mock-atmos-describe-affected.json" > affected-stacks.json
-
-cat << EOF
-{
-   "integrations": {
-      "atlantis": {
-
-      },
-      "github": {
-         "gitops": {
-						"infracost-enabled": false,
-						"matrix": {
-							"group-by": ".stack_slug | split(\"-\") | [.[0], .[2]] | join(\"-\")",
-							"sort-by": ".stack_slug"
-						},
-						"role": {
-							"apply": "arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops",
-							"plan": "arn:aws:iam::yyyyyyyyyyyy:role/cptest-core-gbl-identity-gitops"
-						},
-						"storage": {
-							"bucket": "cptest-core-ue2-auto-gitops",
-							"region": "us-east-2",
-							"role": "arn:aws:iam::xxxxxxxxxxxx:role/cptest-core-ue2-auto-gitops-gha",
-							"table": "cptest-core-ue2-auto-gitops-plan-storage"
-						},
-						"terraform-version": "1.5.2"
-				}
-			}
-   }
-}
-
-
-EOF
+cat ${ATMOS_CLI_CONFIG_PATH}/atmos.yaml | yq e --tojson '.' -