feat: Allow deployment roles to be created with an environment name that differs from the infra.

Author: jamesiarmes

tofu/modules/deployment/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  system_environment = coalesce(var.system_environment, var.environment)
+}

tofu/modules/deployment/main.tf

@@ -1,5 +1,5 @@
 resource "aws_iam_role" "deployment" {
-  name = "${var.project}-${var.environment}-deployment-role"
+  name = "${var.project}-${local.system_environment}-deployment-role"
   assume_role_policy = jsonencode(yamldecode(templatefile("${path.module}/templates/assume-policy.yaml.tftpl", {
     oidc_arn : var.oidc_arn
     repository : var.repository
@@ -9,7 +9,7 @@ resource "aws_iam_role" "deployment" {
 }
 
 resource "aws_iam_role_policy" "deployment" {
-  name = "${var.project}-${var.environment}-deployment-policy"
+  name = "${var.project}-${local.system_environment}-deployment-policy"
   role = aws_iam_role.deployment.name
 
   policy = jsonencode(yamldecode(templatefile("${path.module}/templates/iam-policy.yaml.tftpl", {
@@ -18,5 +18,6 @@ resource "aws_iam_role_policy" "deployment" {
     region : data.aws_region.current.region
     partition : data.aws_partition.current.partition
     project : var.project
+    system_environment : local.system_environment
   })))
 }

tofu/modules/deployment/variables.tf

@@ -4,6 +4,12 @@ variable "environment" {
   default     = "development"
 }
 
+variable "system_environment" {
+  type        = string
+  description = "Environment name for the system, if different from the deployment environment."
+  default     = null
+}
+
 variable "oidc_arn" {
   type        = string
   description = "ARN of the OpenID Connect provider for the GitHub repository."