Renamed roles to iam and imported github openid

robertnovac1 · robertnovac1 · commit 93c2dd58e95f · 2025-07-23T17:27:11.000+01:00
diff --git a/infra/iam.tf b/infra/iam.tf
@@ -59,6 +59,22 @@ resource "aws_iam_role" "auto_ops" {
           AWS = "arn:aws:iam::${var.build_agent_account_id}:role/build-agent"
         },
         Action = "sts:AssumeRole"
+      },
+      {
+        Sid    = "",
+        Effect = "Allow",
+        Principal = {
+          Federated = "arn:aws:iam::${var.imms_account_id}:oidc-provider/token.actions.githubusercontent.com"
+        },
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
+          },
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" : "repo:NHSDigital/immunisation-fhir-api:*"
+          }
+        }
       }
     ]
   })
@@ -78,3 +94,15 @@ resource "aws_iam_role_policy_attachment" "custom_auto_ops" {
   role       = aws_iam_role.auto_ops.name
   policy_arn = aws_iam_policy.auto_ops.arn
 }
+
+resource "aws_iam_openid_connect_provider" "github" {
+  url = "https://token.actions.githubusercontent.com"
+
+  client_id_list = [
+    "sts.amazonaws.com"
+  ]
+
+  thumbprint_list = [
+    "2b18947a6a9fc7764fd8b5fb18a863b0c6dac24f"
+  ]
+}
