Infrastructure Changes

Recro AWS infrastructure (SSO and DNS) is managed via Terraform in the recro-aws-iac repository.

Overview

Resource	Config File	What It Manages
SSO	terraform/sso.tfvars	Users, groups, permission sets, account assignments
DNS	terraform/dns.tfvars	Route53 hosted zones and static records

Workflow

All changes follow this process:

1. Edit the appropriate .tfvars file
2. Commit and open a PR
3. Merge to main (CI runs terraform plan)
4. Create a date-based tag to apply

Important: Terraform apply never runs automatically. You must create a tag to trigger the apply workflow.

Add or Modify an SSO User

1. Clone the repository:

   git clone https://github.com/recro/recro-aws-iac.git
   cd recro-aws-iac
   

2. Edit terraform/sso.tfvars:

3. Add user to the users list

4. Assign user to appropriate group (architect, engineer, or audit)

5. Commit and push:

   git checkout -b add-user-jsmith
   git add terraform/sso.tfvars
   git commit -m "feat: add jsmith to engineer group"
   git push origin add-user-jsmith
   

6. Open a PR and merge to main

7. Create a date-based tag to apply:

   git checkout main
   git pull
   git tag 2025-01-07
   git push origin 2025-01-07
   

Add or Modify a DNS Record

1. Edit terraform/dns.tfvars:

2. Add the record to the appropriate hosted zone

3. Follow the same PR → merge → tag flow

Note: Dynamic DNS records created by cert-manager or external-dns should live under subdomains and are NOT managed in this repository.

CI/CD Pipeline

Trigger	Action	Workflow
Push to main	terraform init + plan	validate.yaml
Push date tag (YYYY-MM-DD)	terraform apply	release.yaml

Tag Format

Use date-based tags: YYYY-MM-DD

git tag 2025-01-07
git push origin 2025-01-07

Multiple changes on the same day can use a suffix: 2025-01-07-2

Local Development

If you need to run Terraform locally (requires AWS credentials):

make init      # Initialize Terraform
make plan      # Preview changes
make apply     # Apply changes (requires valid plan file)
make status    # Show versions and config
make clean     # Remove plan file and .terraform

Guardrails

• No manual console changes - All infrastructure changes go through the repo
• Verify identity first - Run aws sts get-caller-identity before Terraform operations
• Destroy is restricted - Only GitHub admins can run destroy workflows

What This Repo Does NOT Manage

• Domain purchasing (manual)
• IAM Identity Center enablement (manual, one-time setup)
• Dynamic DNS records (managed by cert-manager, external-dns)
• IAM roles/policies (separate from Identity Center)

See Also

• AWS SSO Setup - CLI configuration
• SSO Permissions - Available permission sets