Dry run action + workflow cleanup

.github/workflows/deploy-dry-run.yml

@@ -0,0 +1,73 @@
+name: Deploy (dry run)
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: [main]
+
+concurrency:
+  group: deploy-dry-run-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  AWS_REGION: ${{ vars.AWS_REGION }}
+  ENVIRONMENT: prod
+  TF_DIR: terraform
+
+jobs:
+  deploy-dry-run:
+    runs-on: ubuntu-latest
+    environment: prod
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "~1.0"
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Install Poetry
+        run: pip install poetry poetry-plugin-export
+
+      - name: Build Lambda layer (local only)
+        run: |
+          mkdir -p build/lambda-layer/python
+          poetry export -f requirements.txt --without-hashes -o build/requirements.txt
+          pip install \
+            --target build/lambda-layer/python \
+            --platform manylinux2014_x86_64 \
+            --python-version 3.11 \
+            --only-binary=:all: \
+            -r build/requirements.txt
+          cd build/lambda-layer
+          zip -r ../python-deps.zip python/ > /dev/null
+
+      - name: Terraform init
+        working-directory: ${{ env.TF_DIR }}
+        run: |
+          terraform init \
+            -backend-config="bucket=aztec-circ-supply-terraform" \
+            -backend-config="key=circulating-supply-api" \
+            -backend-config="region=${AWS_REGION}"
+
+      - name: Terraform plan
+        working-directory: ${{ env.TF_DIR }}
+        run: terraform plan -out=tfplan -input=false
+        env:
+          TF_VAR_eth_rpc_url: ${{ secrets.ETH_RPC_URL }}
+          TF_VAR_route53_zone_id: ${{ secrets.ROUTE53_ZONE_ID }}
+          TF_VAR_aws_region: ${{ env.AWS_REGION }}
+          TF_VAR_environment: ${{ env.ENVIRONMENT }}
+

.github/workflows/deploy.yml

@@ -11,16 +11,15 @@ concurrency:
 permissions:
   id-token: write
   contents: read
-  deployments: write
-
 env:
-  AWS_REGION: eu-west-2
+  AWS_REGION: ${{ vars.AWS_REGION }}
   ENVIRONMENT: prod
   TF_DIR: terraform
 
 jobs:
   deploy:
     runs-on: ubuntu-latest
+    environment: prod
     steps:
       - uses: actions/checkout@v4
 
@@ -37,14 +36,6 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
 
-      - name: Create deployment
-        uses: chrnorm/deployment-action@v2
-        id: deployment
-        with:
-          token: ${{ github.token }}
-          environment: production
-          description: "Deploy ${{ github.sha }}"
-
       - name: Install Poetry
         run: pip install poetry poetry-plugin-export
 
@@ -97,19 +88,3 @@ jobs:
             echo "Warning: API returned $STATUS (may need time for DNS propagation)"
           fi
 
-      - name: Update deployment status (success)
-        if: success()
-        uses: chrnorm/deployment-status@v2
-        with:
-          token: ${{ github.token }}
-          state: success
-          deployment-id: ${{ steps.deployment.outputs.deployment_id }}
-          environment-url: https://supply.aztec.network
-
-      - name: Update deployment status (failure)
-        if: failure()
-        uses: chrnorm/deployment-status@v2
-        with:
-          token: ${{ github.token }}
-          state: failure
-          deployment-id: ${{ steps.deployment.outputs.deployment_id }}

terraform/main.tf

@@ -13,14 +13,13 @@ terraform {
   }
 
   backend "s3" {
-    bucket = "aztec-foundation-terraform-state"
+    bucket = "aztec-circ-supply-terraform"
     key    = "circulating-supply-api"
     region = "eu-west-2"
   }
 }
 
 provider "aws" {
-  profile = "foundation"
   region = var.aws_region
 
   default_tags {
@@ -34,9 +33,8 @@ provider "aws" {
 
 # ACM certificates for CloudFront must be in us-east-1
 provider "aws" {
-  alias   = "us_east_1"
-  profile = "foundation"
-  region  = "us-east-1"
+  alias  = "us_east_1"
+  region = "us-east-1"
 
   default_tags {
     tags = {