IntelliTect-Samples · BillMillerCoding · May 26, 2026
diff --git a/.github/workflows/terraform-apply.yml b/.github/workflows/terraform-apply.yml
@@ -0,0 +1,57 @@
+name: Terraform Apply
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "Iac/**"
+
+# Required for OIDC federated identity authentication — no client secrets used
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  TF_WORKING_DIR: Iac
+
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # ── Authenticate to Azure via OIDC ────────────────────────────────────
+      - name: Azure Login (OIDC)
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      # ── Set up Terraform ──────────────────────────────────────────────────
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "~1.6"
+
+      # ── Init — connect to azurerm backend in dbstfstate01 ─────────────────
+      - name: Terraform Init
+        working-directory: ${{ env.TF_WORKING_DIR }}
+        run: terraform init
+
+      # ── Validate ──────────────────────────────────────────────────────────
+      - name: Terraform Validate
+        working-directory: ${{ env.TF_WORKING_DIR }}
+        run: terraform validate
+
+      # ── Apply ─────────────────────────────────────────────────────────────
+      # Sensitive variables are passed as TF_VAR_* environment variables so
+      # they never appear in the plan output or logs.
+      - name: Terraform Apply
+        working-directory: ${{ env.TF_WORKING_DIR }}
+        env:
+          TF_VAR_eventhub_connection_string: ${{ secrets.EVENTHUB_CONNECTION_STRING }}
+          TF_VAR_bot_api_sql_connection_string: ${{ secrets.BOT_API_SQL_CONNECTION_STRING }}
+        run: terraform apply -auto-approve
diff --git a/Iac/backend.tf b/Iac/backend.tf
@@ -0,0 +1,8 @@
+terraform {
+  backend "azurerm" {
+    resource_group_name  = "ewu-deliverybotsystem-rg"
+    storage_account_name = "dbstfstate01"
+    container_name       = "tfstate"
+    key                  = "deliverybotsystem.tfstate"
+  }
+}
diff --git a/Iac/bootstrap/main.tf b/Iac/bootstrap/main.tf
@@ -0,0 +1,35 @@
+# Bootstrap — creates the Azure Storage Account used as the Terraform remote backend
+# for all other configurations in this project.
+#
+# Usage (run once per environment):
+#   cd Iac/bootstrap
+#   terraform init
+#   terraform apply
+#
+# The resource group must already exist before running this.
+
+data "azurerm_resource_group" "rg" {
+  name = var.resource_group_name
+}
+
+# ── State Storage Account ──────────────────────────────────────────────────────
+resource "azurerm_storage_account" "tfstate" {
+  name                     = "dbstfstate01"
+  resource_group_name      = data.azurerm_resource_group.rg.name
+  location                 = var.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+
+  allow_nested_items_to_be_public = false
+
+  blob_properties {
+    versioning_enabled = true
+  }
+}
+
+# ── Blob Container ─────────────────────────────────────────────────────────────
+resource "azurerm_storage_container" "tfstate" {
+  name                  = "tfstate"
+  storage_account_id    = azurerm_storage_account.tfstate.id
+  container_access_type = "private"
+}
diff --git a/Iac/bootstrap/outputs.tf b/Iac/bootstrap/outputs.tf
@@ -0,0 +1,14 @@
+output "storage_account_name" {
+  description = "Name of the Terraform state storage account."
+  value       = azurerm_storage_account.tfstate.name
+}
+
+output "container_name" {
+  description = "Blob container that holds .tfstate files."
+  value       = azurerm_storage_container.tfstate.name
+}
+
+output "resource_group_name" {
+  description = "Resource group containing the state storage account."
+  value       = data.azurerm_resource_group.rg.name
+}
diff --git a/Iac/bootstrap/providers.tf b/Iac/bootstrap/providers.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_version = ">= 1.6"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 4.0"
+    }
+  }
+
+  # Bootstrap uses local state — it creates the remote backend used by everything else.
+  # Do NOT add a remote backend block here.
+}
+
+provider "azurerm" {
+  features {}
+  subscription_id = var.subscription_id
+}
diff --git a/Iac/bootstrap/variables.tf b/Iac/bootstrap/variables.tf
@@ -0,0 +1,17 @@
+variable "subscription_id" {
+  description = "Azure subscription ID."
+  type        = string
+  default     = "a06983f7-7384-4a09-a092-b13a3896be85"
+}
+
+variable "resource_group_name" {
+  description = "Resource group that holds the tfstate storage account (must already exist)."
+  type        = string
+  default     = "ewu-deliverybotsystem-rg"
+}
+
+variable "location" {
+  description = "Azure region for the state storage account."
+  type        = string
+  default     = "westus2"
+}