rvolykh · rvolykh · Dec 26, 2025 · Dec 26, 2025
diff --git a/.github/workflows/_tf_test.yml b/.github/workflows/_tf_test.yml
@@ -0,0 +1,40 @@
+name: "Terraform Test"
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        description: "Environment to test"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  terraform-test:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v6
+      - name: "Install dependencies"
+        uses: ./.github/actions/dependencies
+      - name: "Configure AWS credentials"
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/bootstrap/github-telegram-bot
+          role-session-name: github-actions-test-${{ github.run_id }}
+          aws-region: ${{ secrets.AWS_REGION }}
+      - name: "Init"
+        working-directory: infra
+        env:
+          AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+          AWS_REGION: ${{ secrets.AWS_REGION }}
+        run: |
+          terraform init -backend=false
+      - name: "🏄 Test"
+        working-directory: infra
+        run: |
+          terraform test
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -26,3 +26,11 @@ jobs:
       environment: "sandbox"
       enabled_cache_plan: false
     secrets: inherit
+
+  terraform-test:
+    if: github.event_name == 'pull_request'
+    needs: [terraform-plan]
+    uses: ./.github/workflows/_tf_test.yml
+    with:
+      environment: "sandbox"
+    secrets: inherit
diff --git a/infra/application.tf b/infra/application.tf
@@ -1,5 +1,5 @@
 resource "aws_servicecatalogappregistry_application" "telegram_bot" {
   provider    = aws.application
-  name        = "telegram-bot"
-  description = "Telegram Bot"
+  name        = "${var.prefix}telegram-bot"
+  description = "${var.prefix}Telegram Bot"
 }
diff --git a/infra/cmd_poweron.tf b/infra/cmd_poweron.tf
@@ -1,15 +1,15 @@
 module "telegram_bot_queue_cmd_poweron" {
   source = "./modules/queue"
 
-  queue_name               = "telegram-bot-cmd-poweron"
+  queue_name               = "${var.prefix}telegram-bot-cmd-poweron"
   enable_dead_letter_queue = true
   dead_letter_queue_arn    = module.telegram_bot_queue_alerting.sqs_queue_arn
 }
 
 module "telegram_bot_cmd_poweron" {
   source = "./modules/handler"
 
-  function_name                  = "telegram-bot-cmd-poweron"
+  function_name                  = "${var.prefix}telegram-bot-cmd-poweron"
   reserved_concurrent_executions = -1
   source_path                    = "${path.root}/../apps/poweron"
 

diff --git a/infra/config.tf b/infra/config.tf
@@ -1,13 +1,13 @@
 module "telegram_bot_api_token" {
   source = "./modules/kv"
 
-  name  = "/telegram/bot/api_token"
+  name  = "/${var.prefix}telegram/bot/api_token"
   value = var.telegram_bot_api_token
 }
 
 module "telegram_bot_cache_poweron" {
   source = "./modules/kv"
 
-  name  = "/telegram/bot/cache/poweron"
+  name  = "/${var.prefix}telegram/bot/cache/poweron"
   value = "none"
 }
diff --git a/infra/main.tf b/infra/main.tf
@@ -1,14 +1,14 @@
 module "telegram_bot_queue_mux" {
   source = "./modules/queue"
 
-  queue_name = "telegram-bot-mux"
+  queue_name = "${var.prefix}telegram-bot-mux"
 
   enable_dead_letter_queue = true
   dead_letter_queue_arn    = module.telegram_bot_queue_alerting.sqs_queue_arn
 }
 
 resource "aws_cloudwatch_metric_alarm" "mux_command_rate" {
-  alarm_name          = "telegram-bot-mux-command-rate"
+  alarm_name          = "${var.prefix}telegram-bot-mux-command-rate"
   comparison_operator = "GreaterThanThreshold"
   evaluation_periods  = 3  # over 3 minutes
   period              = 60 # 1 minute
@@ -32,17 +32,18 @@ resource "aws_cloudwatch_metric_alarm" "mux_command_rate" {
 module "telegram_bot_api" {
   source = "./modules/api"
 
-  api_name = "telegram-bot"
+  api_name = "${var.prefix}telegram-bot"
   sqs_queue = {
     name = module.telegram_bot_queue_mux.sqs_queue_name
     arn  = module.telegram_bot_queue_mux.sqs_queue_arn
   }
+  ip_allowlist = var.api_ip_allowlist
 }
 
 module "telegram_bot_handler_mux" {
   source = "./modules/handler"
 
-  function_name                  = "telegram-bot-mux"
+  function_name                  = "${var.prefix}telegram-bot-mux"
   reserved_concurrent_executions = -1
   source_path                    = "${path.root}/../apps/mux"
 

diff --git a/infra/modules/api/data.tf b/infra/modules/api/data.tf
@@ -46,7 +46,7 @@ data "aws_iam_policy_document" "api_gateway_policy" {
     condition {
       test     = "NotIpAddress"
       variable = "aws:SourceIp"
-      values = [
+      values = concat([
         "91.108.56.0/22",
         "91.108.4.0/22",
         "91.108.8.0/22",
@@ -61,7 +61,7 @@ data "aws_iam_policy_document" "api_gateway_policy" {
         "2001:67c:4e8::/48",
         "2001:b28:f23c::/48",
         "2a0a:f280::/32",
-      ]
+      ], var.ip_allowlist)
     }
   }
 }
diff --git a/infra/modules/api/variables.tf b/infra/modules/api/variables.tf
@@ -24,6 +24,12 @@ variable "sqs_queue" {
   }
 }
 
+variable "ip_allowlist" {
+  description = "IP addresses to allow access to the API"
+  type        = list(string)
+  default     = []
+}
+
 variable "tags" {
   description = "Tags to apply to the API Gateway and SQS resources"
   type        = map(string)

diff --git a/infra/observability.tf b/infra/observability.tf
@@ -1,7 +1,7 @@
 module "telegram_bot_queue_alerting" {
   source = "./modules/queue"
 
-  queue_name = "telegram-bot-alerting"
+  queue_name = "${var.prefix}telegram-bot-alerting"
 
   enable_dead_letter_queue = false
   dead_letter_queue_source_arns = [
@@ -11,7 +11,7 @@ module "telegram_bot_queue_alerting" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "non_empty_dlq" {
-  alarm_name          = "telegram-bot-non-empty-dlq"
+  alarm_name          = "${var.prefix}telegram-bot-non-empty-dlq"
   comparison_operator = "GreaterThanOrEqualToThreshold"
   evaluation_periods  = 1
   period              = 5 * 60
@@ -35,7 +35,7 @@ resource "aws_cloudwatch_metric_alarm" "non_empty_dlq" {
 module "telegram_bot_alerting" {
   source = "./modules/alerting"
 
-  name                           = "telegram-bot-alerting"
+  name                           = "${var.prefix}telegram-bot-alerting"
   reserved_concurrent_executions = -1
   emails                         = var.alerting_emails
   telegram_chat_id               = var.alerting_telegram_chat_id