Add development environment for aws-service-infrahouse-app#29
Merged
Conversation
Create IAM roles (state-manager, admin, github) for the development environment in the same accounts as sandbox (workload: 303467602807, tfstates: 289256138624). Developers will use this environment to pull secrets from AWS while running frontend and backend locally. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
infrahouse8
approved these changes
May 25, 2026
State
|
| Success | 🟢 Add | 🟡 Change | Destroy |
|---|---|---|---|
| ✅ | 17 | 11 | 0 |
Affected resources by action
| Action | Resources |
|---|---|
| 🟢 | module.aws_service_infrahouse_app.github_repository_environment.cd["development"] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_environment.ci["development"] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_file.makefile_env["development"] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_file.releases_auto_tfvars["development"] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_file.requirements_txt["development"] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_file.terraform_tf["development"] |
| 🟢 | module.aws_service_infrahouse_app.github_repository_file.terraform_tfvars["development"] |
| 🟢 | module.aws_service_infrahouse_app_gha_development.aws_iam_policy.github |
| 🟢 | module.aws_service_infrahouse_app_gha_development.aws_iam_role.admin |
| 🟢 | module.aws_service_infrahouse_app_gha_development.aws_iam_role.github |
| 🟢 | module.aws_service_infrahouse_app_gha_development.aws_iam_role_policy_attachment.admin |
| 🟢 | module.aws_service_infrahouse_app_gha_development.aws_iam_role_policy_attachment.github |
| 🟢 | module.aws_service_infrahouse_app_gha_development.module.state-manager.aws_iam_policy.permissions_ro |
| 🟢 | module.aws_service_infrahouse_app_gha_development.module.state-manager.aws_iam_policy.permissions_rw |
| 🟢 | module.aws_service_infrahouse_app_gha_development.module.state-manager.aws_iam_role.state-manager |
| 🟢 | module.aws_service_infrahouse_app_gha_development.module.state-manager.aws_iam_role_policy_attachment.state-manager-ro |
| 🟢 | module.aws_service_infrahouse_app_gha_development.module.state-manager.aws_iam_role_policy_attachment.state-manager-rw[0] |
| 🟡 | github_team_members.admins |
| 🟡 | github_team_members.dev |
| 🟡 | module.aws_service_infrahouse_app.github_actions_variable.aws_default_region |
| 🟡 | module.aws_service_infrahouse_app.github_actions_variable.role_admin |
| 🟡 | module.aws_service_infrahouse_app.github_actions_variable.role_github |
| 🟡 | module.aws_service_infrahouse_app.github_actions_variable.role_state_manager |
| 🟡 | module.aws_service_infrahouse_app.github_repository_file.makefile_fragment[0] |
| 🟡 | module.aws_service_infrahouse_app.github_repository_file.terraform_cd[0] |
| 🟡 | module.aws_service_infrahouse_app.github_repository_file.terraform_ci[0] |
| 🟡 | module.aws_service_infrahouse_app.github_repository_file.terraform_drift_wrapper[0] |
| 🟡 | module.aws_service_infrahouse_app.github_repository_ruleset.main |
STDOUT
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place
<= read (data resources)
Terraform will perform the following actions:
# github_team_members.admins will be updated in-place
~ resource "github_team_members" "admins" {
id = "14268696"
# (1 unchanged attribute hidden)
- members {
- role = "maintainer" -> null
- username = "infrahouse8" -> null
}
+ members {
+ role = "member"
+ username = "infrahouse8"
}
# (1 unchanged block hidden)
}
# github_team_members.dev will be updated in-place
~ resource "github_team_members" "dev" {
id = "7332815"
# (1 unchanged attribute hidden)
- members {
- role = "maintainer" -> null
- username = "infrahouse8" -> null
}
+ members {
+ role = "member"
+ username = "infrahouse8"
}
# (2 unchanged blocks hidden)
}
# module.aws_service_infrahouse_app.github_actions_variable.aws_default_region will be updated in-place
~ resource "github_actions_variable" "aws_default_region" {
id = "aws-service-infrahouse-app:AWS_DEFAULT_REGION"
~ value = jsonencode(
~ {
+ development = "us-west-1"
# (1 unchanged attribute hidden)
}
)
# (5 unchanged attributes hidden)
}
# module.aws_service_infrahouse_app.github_actions_variable.role_admin will be updated in-place
~ resource "github_actions_variable" "role_admin" {
id = "aws-service-infrahouse-app:ROLE_ADMIN"
~ value = jsonencode(
{
- sandbox = "arn:aws:iam::303467602807:role/ih-tf-aws-service-infrahouse-app-admin"
}
) -> (known after apply)
# (5 unchanged attributes hidden)
}
# module.aws_service_infrahouse_app.github_actions_variable.role_github will be updated in-place
~ resource "github_actions_variable" "role_github" {
id = "aws-service-infrahouse-app:ROLE_GITHUB"
~ value = jsonencode(
{
- sandbox = "arn:aws:iam::303467602807:role/ih-tf-aws-service-infrahouse-app-github"
}
) -> (known after apply)
# (5 unchanged attributes hidden)
}
# module.aws_service_infrahouse_app.github_actions_variable.role_state_manager will be updated in-place
~ resource "github_actions_variable" "role_state_manager" {
id = "aws-service-infrahouse-app:ROLE_STATE_MANAGER"
~ value = jsonencode(
{
- sandbox = "arn:aws:iam::289256138624:role/ih-tf-aws-service-infrahouse-app-state-manager"
}
) -> (known after apply)
# (5 unchanged attributes hidden)
}
# module.aws_service_infrahouse_app.github_repository_environment.cd["development"] will be created
+ resource "github_repository_environment" "cd" {
+ can_admins_bypass = true
+ environment = "live-development"
+ id = (known after apply)
+ prevent_self_review = false
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_environment.ci["development"] will be created
+ resource "github_repository_environment" "ci" {
+ can_admins_bypass = true
+ environment = "continuous-integration-development"
+ id = (known after apply)
+ prevent_self_review = false
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_file.makefile_env["development"] will be created
+ resource "github_repository_file" "makefile_env" {
+ autocreate_branch_source_sha = (known after apply)
+ branch = (known after apply)
+ commit_message = "Add Makefile for development environment"
+ commit_sha = (known after apply)
+ content = <<-EOT
# This file is managed by Terraform in infrahouse/github-control repository.
# Do not edit this file, all changes will be overwritten.
# If you need to add custom targets, create a new file in the makefiles/ directory.
include $(wildcard ../../makefiles/*)
EOT
+ file = "environments/development/Makefile"
+ id = (known after apply)
+ overwrite_on_create = true
+ ref = (known after apply)
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
+ sha = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_file.makefile_fragment[0] will be updated in-place
~ resource "github_repository_file" "makefile_fragment" {
~ commit_message = "Update makefiles/Makefile" -> "Add makefiles/Makefile"
id = "aws-service-infrahouse-app:makefiles/Makefile:main"
# (9 unchanged attributes hidden)
}
# module.aws_service_infrahouse_app.github_repository_file.releases_auto_tfvars["development"] will be created
+ resource "github_repository_file" "releases_auto_tfvars" {
+ autocreate_branch_source_sha = (known after apply)
+ branch = "main"
+ commit_message = "Add releases.auto.tfvars for development environment"
+ commit_sha = (known after apply)
+ content = <<-EOT
# Release-managed values — bumped by CI pipelines or release managers.
# This file is owned by the service repo, not github-control.
docker_image_tag = "latest"
EOT
+ file = "environments/development/releases.auto.tfvars"
+ id = (known after apply)
+ overwrite_on_create = true
+ ref = (known after apply)
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
+ sha = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_file.requirements_txt["development"] will be created
+ resource "github_repository_file" "requirements_txt" {
+ autocreate_branch_source_sha = (known after apply)
+ branch = (known after apply)
+ commit_message = "Add requirements.txt for development environment"
+ commit_sha = (known after apply)
+ content = <<-EOT
infrahouse-toolkit ~= 2.59
semgrep ~= 1.163
yamllint ~= 1.29
EOT
+ file = "environments/development/requirements.txt"
+ id = (known after apply)
+ overwrite_on_create = false
+ ref = (known after apply)
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
+ sha = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_file.terraform_cd[0] will be updated in-place
~ resource "github_repository_file" "terraform_cd" {
~ content = <<-EOT
---
name: "Terraform CD"
on: # yamllint disable-line rule:truthy
pull_request:
types:
- "closed"
permissions:
id-token: "write"
contents: "read"
concurrency:
group: "terraform"
cancel-in-progress: false
jobs:
deploy-order-0:
if: "github.event.pull_request.merged"
strategy:
fail-fast: false
matrix:
- env: ["sandbox"]
+ env: ["development","sandbox"]
name: "Terraform Apply ${{ matrix.env }}"
runs-on: ubuntu-24.04
environment: "live-${{ matrix.env }}"
timeout-minutes: 60
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
REGION_JSON: "${{ vars.AWS_DEFAULT_REGION }}"
ROLE_GITHUB_JSON: "${{ vars.ROLE_GITHUB }}"
ROLE_SM_JSON: "${{ vars.ROLE_STATE_MANAGER }}"
TF_VAR_environment: "${{ matrix.env }}"
defaults:
run:
shell: "bash"
steps:
- name: "Checkout"
uses: "actions/checkout@v6"
- name: "Extract Variables"
id: "extract_vars"
run: |
REGION=$(echo '${{ env.REGION_JSON }}' | jq -r '.${{ matrix.env }}')
echo "REGION=$REGION" >> "$GITHUB_OUTPUT"
ROLE_GITHUB=$(echo '${{ env.ROLE_GITHUB_JSON }}' | jq -r '.${{ matrix.env }}')
echo "ROLE_GITHUB=$ROLE_GITHUB" >> "$GITHUB_OUTPUT"
ROLE_SM=$(echo '${{ env.ROLE_SM_JSON }}' | jq -r '.${{ matrix.env }}')
echo "ROLE_STATE_MANAGER=$ROLE_SM" >> "$GITHUB_OUTPUT"
- name: "Configure AWS Credentials"
uses: "aws-actions/configure-aws-credentials@v6"
with:
role-to-assume: "${{ steps.extract_vars.outputs.ROLE_GITHUB }}"
role-session-name: "github-actions-${{ matrix.env }}"
aws-region: "${{ steps.extract_vars.outputs.REGION }}"
- name: "Set Terraform version"
id: "terraform_version"
run: |
echo "IH_TF_VERSION=$(cat .terraform-version)" >> "$GITHUB_OUTPUT"
- name: "Setup Terraform"
uses: "hashicorp/setup-terraform@v4"
with:
terraform_version: "${{ steps.terraform_version.outputs.IH_TF_VERSION }}"
- name: "Set up Python"
uses: "actions/setup-python@v6"
with:
python-version: "3.14"
- name: "Setup Python Environment"
working-directory: "environments/${{ matrix.env }}"
run: |
make bootstrap
- name: "Download Terraform Plan"
working-directory: "environments/${{ matrix.env }}"
run: |
ih-plan \
--aws-assume-role-arn \
${{ steps.extract_vars.outputs.ROLE_STATE_MANAGER }} \
download \
plans/${{ matrix.env }}/${{ github.event.pull_request.number }}.plan \
tf.plan
- name: "Terraform Init"
working-directory: "environments/${{ matrix.env }}"
run: |
terraform init -input=false
- name: "Terraform Validate"
working-directory: "environments/${{ matrix.env }}"
run: |
terraform validate -no-color
- name: "Terraform Apply"
working-directory: "environments/${{ matrix.env }}"
run: |
make apply
- name: "Remove Plan"
working-directory: "environments/${{ matrix.env }}"
run: |
ih-plan \
--aws-assume-role-arn \
${{ steps.extract_vars.outputs.ROLE_STATE_MANAGER }} \
remove \
plans/${{ matrix.env }}/${{ github.event.pull_request.number }}.plan
EOT
id = "aws-service-infrahouse-app:.github/workflows/terraform-CD.yml:main"
# (9 unchanged attributes hidden)
}
# module.aws_service_infrahouse_app.github_repository_file.terraform_ci[0] will be updated in-place
~ resource "github_repository_file" "terraform_ci" {
~ content = <<-EOT
---
name: "Terraform CI"
on: # yamllint disable-line rule:truthy
pull_request:
permissions:
id-token: "write"
contents: "read"
pull-requests: "write"
concurrency:
group: "terraform"
cancel-in-progress: false
jobs:
plan:
strategy:
fail-fast: false
matrix:
- env: ["sandbox"]
+ env: ["development","sandbox"]
name: "Terraform Plan ${{ matrix.env }}"
runs-on: ubuntu-24.04
environment: "continuous-integration-${{ matrix.env }}"
timeout-minutes: 15
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
REGION_JSON: "${{ vars.AWS_DEFAULT_REGION }}"
ROLE_GITHUB_JSON: "${{ vars.ROLE_GITHUB }}"
ROLE_SM_JSON: "${{ vars.ROLE_STATE_MANAGER }}"
TF_VAR_environment: "${{ matrix.env }}"
defaults:
run:
shell: "bash"
steps:
- name: "Checkout"
uses: "actions/checkout@v6"
- name: "Extract Variables"
id: "extract_vars"
run: |
REGION=$(echo '${{ env.REGION_JSON }}' | jq -r '.${{ matrix.env }}')
echo "REGION=$REGION" >> "$GITHUB_OUTPUT"
ROLE_GITHUB=$(echo '${{ env.ROLE_GITHUB_JSON }}' | jq -r '.${{ matrix.env }}')
echo "ROLE_GITHUB=$ROLE_GITHUB" >> "$GITHUB_OUTPUT"
ROLE_SM=$(echo '${{ env.ROLE_SM_JSON }}' | jq -r '.${{ matrix.env }}')
echo "ROLE_STATE_MANAGER=$ROLE_SM" >> "$GITHUB_OUTPUT"
- name: "Configure AWS Credentials"
uses: "aws-actions/configure-aws-credentials@v6"
with:
role-to-assume: "${{ steps.extract_vars.outputs.ROLE_GITHUB }}"
role-session-name: "github-actions-${{ matrix.env }}"
aws-region: "${{ steps.extract_vars.outputs.REGION }}"
- name: "Set Terraform version"
id: "terraform_version"
run: |
echo "IH_TF_VERSION=$(cat .terraform-version)" >> "$GITHUB_OUTPUT"
- name: "Setup Terraform"
uses: "hashicorp/setup-terraform@v4"
with:
terraform_version: "${{ steps.terraform_version.outputs.IH_TF_VERSION }}"
- name: "Set up Python"
uses: "actions/setup-python@v6"
with:
python-version: "3.14"
- name: "Setup Python Environment"
working-directory: "environments/${{ matrix.env }}"
run: |
make bootstrap
- name: "Code Style Check"
working-directory: "environments/${{ matrix.env }}"
run: |
make lint
- name: "Terraform Init"
working-directory: "environments/${{ matrix.env }}"
run: |
terraform init -input=false
- name: "Terraform Validate"
working-directory: "environments/${{ matrix.env }}"
run: |
terraform validate -no-color
- name: "Terraform Plan"
working-directory: "environments/${{ matrix.env }}"
run: |
make plan
ih-plan publish \
${{ github.repository }} \
${{ github.event.pull_request.number }} \
plan.stdout plan.stderr
- name: "Upload Terraform Plan"
working-directory: "environments/${{ matrix.env }}"
run: |
ih-plan \
--aws-assume-role-arn \
${{ steps.extract_vars.outputs.ROLE_STATE_MANAGER }} \
upload \
--key-name=plans/${{ matrix.env }}/${{ github.event.pull_request.number }}.plan \
tf.plan
EOT
id = "aws-service-infrahouse-app:.github/workflows/terraform-CI.yml:main"
# (9 unchanged attributes hidden)
}
# module.aws_service_infrahouse_app.github_repository_file.terraform_drift_wrapper[0] will be updated in-place
~ resource "github_repository_file" "terraform_drift_wrapper" {
~ content = <<-EOT
---
name: "[Meta] Terraform Drift Detection"
on:
workflow_dispatch:
schedule:
# Runs daily at 10:XX AM UTC
- cron: "57 10 * * *"
jobs:
config-drift-check:
strategy:
matrix:
- env: ["sandbox"]
+ env: ["development","sandbox"]
uses: "./.github/workflows/terraform-drift.yml"
with:
env: "${{ matrix.env }}"
secrets: "inherit"
notify_on_failure:
name: "Notify #infra slack on failure"
needs: ["config-drift-check"]
if: ${{ failure() }}
runs-on: ubuntu-latest
steps:
- name: Post to Slack
uses: "slackapi/slack-github-action@v2.1.1"
with:
method: "chat.postMessage"
token: ${{ secrets.SLACK_BOT_TOKEN }}
payload: |
channel: "${{ vars.INFRA_NOTIFICATION_CHANNEL }}"
text: "❌ Terraform Drift Detection failed for ${{ github.repository }}. Check the workflow run for more details: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}."
EOT
id = "aws-service-infrahouse-app:.github/workflows/terraform-drift-wrapper.yml:main"
# (9 unchanged attributes hidden)
}
# module.aws_service_infrahouse_app.github_repository_file.terraform_tf["development"] will be created
+ resource "github_repository_file" "terraform_tf" {
+ autocreate_branch_source_sha = (known after apply)
+ branch = "main"
+ commit_message = "Add terraform.tf for development environment"
+ commit_sha = (known after apply)
+ content = (known after apply)
+ file = "environments/development/terraform.tf"
+ id = (known after apply)
+ overwrite_on_create = true
+ ref = (known after apply)
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
+ sha = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_file.terraform_tfvars["development"] will be created
+ resource "github_repository_file" "terraform_tfvars" {
+ autocreate_branch_source_sha = (known after apply)
+ branch = "main"
+ commit_message = "Add terraform.tfvars for development environment"
+ commit_sha = (known after apply)
+ content = (known after apply)
+ file = "environments/development/terraform.tfvars"
+ id = (known after apply)
+ overwrite_on_create = true
+ ref = (known after apply)
+ repository = "aws-service-infrahouse-app"
+ repository_id = (known after apply)
+ sha = (known after apply)
}
# module.aws_service_infrahouse_app.github_repository_ruleset.main will be updated in-place
~ resource "github_repository_ruleset" "main" {
id = "16000443"
name = "Main Branch Protection"
# (6 unchanged attributes hidden)
~ rules {
# (7 unchanged attributes hidden)
~ required_status_checks {
# (2 unchanged attributes hidden)
+ required_check {
+ context = "Terraform Plan development"
+ integration_id = 0
}
# (3 unchanged blocks hidden)
}
# (1 unchanged block hidden)
}
# (2 unchanged blocks hidden)
}
# module.aws_service_infrahouse_app_gha_development.data.aws_iam_policy_document.admin-trust will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "admin-trust" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ statement {
+ actions = [
+ "sts:AssumeRole",
]
+ principals {
+ identifiers = [
+ "arn:aws:iam::990466748045:role/aws-reserved/sso.amazonaws.com/us-west-1/AWSReservedSSO_AWSAdministratorAccess_16bdbe5eb442e7ef",
+ (known after apply),
]
+ type = "AWS"
}
}
}
# module.aws_service_infrahouse_app_gha_development.data.aws_iam_policy_document.github-permissions will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "github-permissions" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ statement {
+ actions = [
+ "sts:AssumeRole",
]
+ resources = [
+ (known after apply),
+ (known after apply),
]
}
}
# module.aws_service_infrahouse_app_gha_development.aws_iam_policy.github will be created
+ resource "aws_iam_policy" "github" {
+ arn = (known after apply)
+ attachment_count = (known after apply)
+ id = (known after apply)
+ name = (known after apply)
+ name_prefix = "ih-tf-aws-service-infrahouse-app-github"
+ path = "/"
+ policy = (known after apply)
+ policy_id = (known after apply)
+ tags = {
+ "created_by_module" = "infrahouse/gha-admin/aws"
+ "environment" = "development"
}
+ tags_all = {
+ "created_by" = "infrahouse/github-control"
+ "created_by_module" = "infrahouse/gha-admin/aws"
+ "environment" = "development"
}
}
# module.aws_service_infrahouse_app_gha_development.aws_iam_role.admin will be created
+ resource "aws_iam_role" "admin" {
+ arn = (known after apply)
+ assume_role_policy = (known after apply)
+ create_date = (known after apply)
+ description = "Role to manage AWS account"
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 43200
+ name = "ih-tf-aws-service-infrahouse-app-admin"
+ name_prefix = (known after apply)
+ path = "/"
+ tags = {
+ "created_by_module" = "infrahouse/gha-admin/aws"
+ "environment" = "development"
+ "module_version" = "4.0.0"
}
+ tags_all = {
+ "created_by" = "infrahouse/github-control"
+ "created_by_module" = "infrahouse/gha-admin/aws"
+ "environment" = "development"
+ "module_version" = "4.0.0"
}
+ unique_id = (known after apply)
+ inline_policy (known after apply)
}
# module.aws_service_infrahouse_app_gha_development.aws_iam_role.github will be created
+ resource "aws_iam_role" "github" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRoleWithWebIdentity"
+ Condition = {
+ StringEquals = {
+ "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
}
+ StringLike = {
+ "token.actions.githubusercontent.com:sub" = "repo:infrahouse/aws-service-infrahouse-app:*"
}
}
+ Effect = "Allow"
+ Principal = {
+ Federated = "arn:aws:iam::303467602807:oidc-provider/token.actions.githubusercontent.com"
}
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ description = "Role for a GitHub Actions runner in repo aws-service-infrahouse-app"
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 43200
+ name = "ih-tf-aws-service-infrahouse-app-github"
+ name_prefix = (known after apply)
+ path = "/"
+ tags = {
+ "created_by_module" = "infrahouse/gha-admin/aws"
+ "environment" = "development"
}
+ tags_all = {
+ "created_by" = "infrahouse/github-control"
+ "created_by_module" = "infrahouse/gha-admin/aws"
+ "environment" = "development"
}
+ unique_id = (known after apply)
+ inline_policy (known after apply)
}
# module.aws_service_infrahouse_app_gha_development.aws_iam_role_policy_attachment.admin will be created
+ resource "aws_iam_role_policy_attachment" "admin" {
+ id = (known after apply)
+ policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+ role = "ih-tf-aws-service-infrahouse-app-admin"
}
# module.aws_service_infrahouse_app_gha_development.aws_iam_role_policy_attachment.github will be created
+ resource "aws_iam_role_policy_attachment" "github" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ role = "ih-tf-aws-service-infrahouse-app-github"
}
# module.aws_service_infrahouse_app_gha_development.module.state-manager.data.aws_iam_policy_document.assume will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "assume" {
+ id = (known after apply)
+ json = (known after apply)
+ minified_json = (known after apply)
+ statement {
+ actions = [
+ "sts:AssumeRole",
]
+ sid = "000"
+ principals {
+ identifiers = [
+ "arn:aws:iam::990466748045:role/aws-reserved/sso.amazonaws.com/us-west-1/AWSReservedSSO_AWSAdministratorAccess_16bdbe5eb442e7ef",
+ (known after apply),
]
+ type = "AWS"
}
}
}
# module.aws_service_infrahouse_app_gha_development.module.state-manager.aws_iam_policy.permissions_ro will be created
+ resource "aws_iam_policy" "permissions_ro" {
+ arn = (known after apply)
+ attachment_count = (known after apply)
+ id = (known after apply)
+ name = (known after apply)
+ name_prefix = "ih-tf-aws-service-infrahouse-app-state-manager-ro"
+ path = "/"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "s3:ListBucket"
+ Effect = "Allow"
+ Resource = "arn:aws:s3:::infrahouse-github-control-aws-service-infrahouse-app"
},
+ {
+ Action = "s3:GetObject"
+ Effect = "Allow"
+ Resource = [
+ "arn:aws:s3:::infrahouse-github-control-aws-service-infrahouse-app/plans/*",
+ "arn:aws:s3:::infrahouse-github-control-aws-service-infrahouse-app/development/terraform.tfstate.tflock",
+ "arn:aws:s3:::infrahouse-github-control-aws-service-infrahouse-app/development/terraform.tfstate",
+ "arn:aws:s3:::infrahouse-github-control-aws-service-infrahouse-app/*.zip",
]
},
]
+ Version = "2012-10-17"
}
)
+ policy_id = (known after apply)
+ tags = {
+ "created_by_module" = "infrahouse/state-manager/aws"
+ "environment" = "development"
}
+ tags_all = {
+ "created_by" = "infrahouse/github-control"
+ "created_by_module" = "infrahouse/state-manager/aws"
+ "environment" = "development"
}
}
# module.aws_service_infrahouse_app_gha_development.module.state-manager.aws_iam_policy.permissions_rw will be created
+ resource "aws_iam_policy" "permissions_rw" {
+ arn = (known after apply)
+ attachment_count = (known after apply)
+ id = (known after apply)
+ name = (known after apply)
+ name_prefix = "ih-tf-aws-service-infrahouse-app-state-manager-rw"
+ path = "/"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "s3:PutObject",
+ "s3:DeleteObject",
]
+ Effect = "Allow"
+ Resource = [
+ "arn:aws:s3:::infrahouse-github-control-aws-service-infrahouse-app/plans/*",
+ "arn:aws:s3:::infrahouse-github-control-aws-service-infrahouse-app/development/terraform.tfstate.tflock",
+ "arn:aws:s3:::infrahouse-github-control-aws-service-infrahouse-app/development/terraform.tfstate",
+ "arn:aws:s3:::infrahouse-github-control-aws-service-infrahouse-app/*.zip",
]
},
+ {
+ Action = [
+ "dynamodb:PutItem",
+ "dynamodb:GetItem",
+ "dynamodb:DescribeTable",
+ "dynamodb:DeleteItem",
]
+ Effect = "Allow"
+ Resource = "arn:aws:dynamodb:us-west-1:289256138624:table/infrahouse-github-control-aws-service-infrahouse-app-exciting-buzzard"
},
]
+ Version = "2012-10-17"
}
)
+ policy_id = (known after apply)
+ tags = {
+ "created_by_module" = "infrahouse/state-manager/aws"
+ "environment" = "development"
}
+ tags_all = {
+ "created_by" = "infrahouse/github-control"
+ "created_by_module" = "infrahouse/state-manager/aws"
+ "environment" = "development"
}
}
# module.aws_service_infrahouse_app_gha_development.module.state-manager.aws_iam_role.state-manager will be created
+ resource "aws_iam_role" "state-manager" {
+ arn = (known after apply)
+ assume_role_policy = (known after apply)
+ create_date = (known after apply)
+ description = "Role to manage a terraform state of a repo"
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 43200
+ name = "ih-tf-aws-service-infrahouse-app-state-manager"
+ name_prefix = (known after apply)
+ path = "/"
+ tags = {
+ "created_by_module" = "infrahouse/state-manager/aws"
+ "environment" = "development"
+ "module_version" = "1.5.0"
}
+ tags_all = {
+ "created_by" = "infrahouse/github-control"
+ "created_by_module" = "infrahouse/state-manager/aws"
+ "environment" = "development"
+ "module_version" = "1.5.0"
}
+ unique_id = (known after apply)
+ inline_policy (known after apply)
}
# module.aws_service_infrahouse_app_gha_development.module.state-manager.aws_iam_role_policy_attachment.state-manager-ro will be created
+ resource "aws_iam_role_policy_attachment" "state-manager-ro" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ role = "ih-tf-aws-service-infrahouse-app-state-manager"
}
# module.aws_service_infrahouse_app_gha_development.module.state-manager.aws_iam_role_policy_attachment.state-manager-rw[0] will be created
+ resource "aws_iam_role_policy_attachment" "state-manager-rw" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ role = "ih-tf-aws-service-infrahouse-app-state-manager"
}
Plan: 17 to add, 11 to change, 0 to destroy.
Warning: Argument is deprecated
with module.ih_8_repos.github_repository.repo,
on modules/local-repo/repos.tf line 4, in resource "github_repository" "repo":
4: has_downloads = false
This attribute is no longer in use, but it hasn't been removed yet. It will
be removed in a future version. See
https://github.com/orgs/community/discussions/102145#discussioncomment-8351756
(and 6 more similar warnings elsewhere)
Warning: Deprecated attribute
on .terraform/modules/actions-runner-pem-493370826424-uw1/data_sources.tf line 11, in data "external" "secret_value":
11: "python", "${path.module}/assets/get_secret.py", data.aws_region.current.name, aws_secretsmanager_secret.secret.id, data.aws_iam_role.caller_role.arn
The attribute "name" is deprecated. Refer to the provider documentation for
details.
(and 5 more similar warnings elsewhere)
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: tf.plan
To perform exactly these actions, run the following command to apply:
terraform apply "tf.plan"
metadata
eyJzMzovL2luZnJhaG91c2UtZ2l0aHViLWNvbnRyb2wtc3RhdGUvdGVycmFmb3JtLnRmc3RhdGUiOiB7InN1Y2Nlc3MiOiB0cnVlLCAiYWRkIjogMTcsICJjaGFuZ2UiOiAxMSwgImRlc3Ryb3kiOiAwfX0=
akuzminsky
pushed a commit
that referenced
this pull request
May 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
gha-adminmodule for thedevelopmentenvironment (IAM roles for state management, admin, and GitHub Actions OIDC)developmentto theenvironmentsmap in the service-repo module withdeploy_order = 0Test plan
terraform planshows the expected new IAM roles and GitHub environment resources🤖 Generated with Claude Code