PLT-338 Security group for internet access #107

	name: opt-out-import plan terraform

	on:
	pull_request:
	paths:
	- .github/workflows/opt-out-import-plan.yml
	- terraform/modules/bucket/**
	- terraform/modules/key/**
	- terraform/modules/function/**
	- terraform/modules/queue/**
	- terraform/modules/subnets/**
	- terraform/modules/vpc/**
	- terraform/services/opt-out-import/**
	workflow_dispatch: # Allow manual trigger

	jobs:
	check-terraform-fmt:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- uses: ./actions/setup-tfenv-terraform
	- run: terraform fmt -check -diff -recursive terraform/services/opt-out-import

	terraform-plan:
	needs: check-terraform-fmt
	permissions:
	contents: read
	id-token: write
	runs-on: ubuntu-latest
	defaults:
	run:
	working-directory: ./terraform/services/opt-out-import
	strategy:
	fail-fast: false
	matrix:
	app: [ab2d, bcda, dpc]
	env: [dev, test, prod]
	env:
	TF_VAR_app: ${{ matrix.app }}
	TF_VAR_env: ${{ matrix.env }}
	steps:
	- uses: actions/checkout@v4
	- uses: ./actions/setup-tfenv-terraform
	- uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ matrix.app == 'ab2d' && secrets[format('{0}_{1}_ACCOUNT', matrix.app, matrix.env)] \|\| secrets.BCDA_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions
	aws-region: ${{ vars.AWS_REGION }}
	- run: terraform init -reconfigure -backend-config=../../backends/$TF_VAR_app-$TF_VAR_env.s3.tfbackend
	- run: terraform plan

Provide feedback