From 1e30250b42ededf39cf50214d4207ef99866dbce Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Thu, 12 Mar 2026 11:27:41 +0200
Subject: [PATCH 1/7] chore: Add outputs

---
 README.md  |  8 ++++++--
 outputs.tf | 16 ++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 7462543..547ea04 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.11.0 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 3.0.1 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.33.0 |
 
 ## Modules
 
@@ -80,5 +80,9 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_arn"></a> [arn](#output\_arn) | ARN of IAM role |
+| <a name="output_buckets"></a> [buckets](#output\_buckets) | List of buckets created |
+| <a name="output_name"></a> [name](#output\_name) | Name of IAM role |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/outputs.tf b/outputs.tf
index 8b13789..41a001a 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1 +1,17 @@
+output "name" {
+  description = "Name of IAM role"
+  value       = module.gitlab_role.iam_role_name
+}
 
+output "arn" {
+  description = "ARN of IAM role"
+  value       = module.gitlab_role.iam_role_arn
+
+}
+
+output "buckets" {
+  description = "List of buckets created"
+  value = tomap({
+    for k, v in module.s3_bucket : k => v.s3_bucket_arn
+  })
+}
\ No newline at end of file

From 5fa71f38e163d09677516a542855621b3de7241c Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Thu, 12 Mar 2026 13:39:03 +0200
Subject: [PATCH 2/7] chore: Add custom policy creation for role

---
 README.md    |  7 +++++--
 main.tf      | 33 ++++++++++++++++++++++++++-------
 outputs.tf   |  4 ++--
 variables.tf | 13 +++++++++++++
 4 files changed, 46 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index 547ea04..f7affd1 100644
--- a/README.md
+++ b/README.md
@@ -34,6 +34,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_gitlab_policy"></a> [gitlab\_policy](#module\_gitlab\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | v5.34.0 |
 | <a name="module_gitlab_role"></a> [gitlab\_role](#module\_gitlab\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | v5.34.0 |
 | <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.1.0 |
 
@@ -73,6 +74,8 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 | <a name="input_release_max_history"></a> [release\_max\_history](#input\_release\_max\_history) | Maximum saved revisions per release | `number` | `10` | no |
 | <a name="input_release_name"></a> [release\_name](#input\_release\_name) | This is the name of the release which also used as a prefix or suffix for the resources | `string` | `"gitlab"` | no |
 | <a name="input_release_namespace"></a> [release\_namespace](#input\_release\_namespace) | Namespace name where you want to deploy the release. If empty, `release_name` will be used. | `string` | `""` | no |
+| <a name="input_role_policy"></a> [role\_policy](#input\_role\_policy) | Policy for GitLab role | `string` | `null` | no |
+| <a name="input_role_suffix"></a> [role\_suffix](#input\_role\_suffix) | Optional suffix for GitLab role | `string` | `"access-aws"` | no |
 | <a name="input_smtp_password"></a> [smtp\_password](#input\_smtp\_password) | SMTP Password | `string` | `""` | no |
 | <a name="input_smtp_user"></a> [smtp\_user](#input\_smtp\_user) | SMTP Username | `string` | `""` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |
@@ -82,7 +85,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 
 | Name | Description |
 |------|-------------|
-| <a name="output_arn"></a> [arn](#output\_arn) | ARN of IAM role |
 | <a name="output_buckets"></a> [buckets](#output\_buckets) | List of buckets created |
-| <a name="output_name"></a> [name](#output\_name) | Name of IAM role |
+| <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | ARN of IAM role |
+| <a name="output_role_name"></a> [role\_name](#output\_role\_name) | Name of IAM role |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/main.tf b/main.tf
index af20b16..089eb3b 100644
--- a/main.tf
+++ b/main.tf
@@ -276,15 +276,34 @@ resource "helm_release" "gitlab" {
   ]
 }
 
+module "gitlab_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "v5.34.0"
+
+  name        = "gitlab-role-policy"
+  description = "Policy for GitLab role"
+  policy      = var.role_policy
+
+  tags = var.tags
+}
+
 module "gitlab_role" {
-  source                         = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                        = "v5.34.0"
-  create_role                    = true
-  allow_self_assume_role         = false
-  role_description               = "Gitlab Role to access S3"
-  role_name                      = "${var.release_name}-access-s3"
+  source                 = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
+  version                = "v5.34.0"
+  create_role            = true
+  allow_self_assume_role = false
+  role_description       = "Gitlab Role to access AWS resources"
+  role_name              = "${var.release_name}-${var.role_suffix}"
+  role_policy_arns = [
+    module.gitlab_policy.arn
+  ]
+
   provider_url                   = data.aws_eks_cluster.eks.identity[0].oidc[0].issuer
   oidc_subjects_with_wildcards   = ["system:serviceaccount:${local.release_namespace}:gitlab*"]
   oidc_fully_qualified_audiences = ["sts.amazonaws.com"]
   tags                           = var.tags
-}
+
+  depends_on = [
+    module.gitlab_policy
+  ]
+}
\ No newline at end of file
diff --git a/outputs.tf b/outputs.tf
index 41a001a..153c179 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,9 +1,9 @@
-output "name" {
+output "role_name" {
   description = "Name of IAM role"
   value       = module.gitlab_role.iam_role_name
 }
 
-output "arn" {
+output "role_arn" {
   description = "ARN of IAM role"
   value       = module.gitlab_role.iam_role_arn
 
diff --git a/variables.tf b/variables.tf
index 71611b1..bee8099 100644
--- a/variables.tf
+++ b/variables.tf
@@ -106,3 +106,16 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+variable "role_policy" {
+  type        = string
+  description = "Policy for GitLab role"
+  sensitive   = true
+  default     = null
+}
+
+variable "role_suffix" {
+  type        = string
+  description = "Optional suffix for GitLab role"
+  default     = "access-aws"
+}
\ No newline at end of file

From fe8c9b65a2c00852716b5169971dc410db12cf6e Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Thu, 12 Mar 2026 16:30:44 +0200
Subject: [PATCH 3/7] chore: provider_kubernetes

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index f7affd1..b9a9428 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.11.0 |
-| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 2.33.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 3.0.1 |
 
 ## Modules
 

From 5421ecf4f415569bc00156175cd283bed6ff9ae1 Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Fri, 13 Mar 2026 12:13:53 +0200
Subject: [PATCH 4/7] chore: IAM modules upgrade

---
 .pre-commit-config.yaml |  2 +-
 README.md               | 20 +++++++++---------
 main.tf                 | 46 +++++++++++++++++++++--------------------
 outputs.tf              |  4 ++--
 versions.tf             |  4 ++--
 5 files changed, 39 insertions(+), 37 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 40db6c4..30490ea 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.86.0
+    rev: v1.105.0
     hooks:
       - id: terraform_fmt
       - id: terraform_validate
diff --git a/README.md b/README.md
index b9a9428..9c8ba93 100644
--- a/README.md
+++ b/README.md
@@ -10,13 +10,13 @@ This module was created to simplify deploying Gitlab into the EKS with storage o
 
 In the above diagram, you can see the components and their relations (PostgreSQL and Redis are not deployed with this module).
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.36.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
 | <a name="requirement_helm"></a> [helm](#requirement\_helm) | 2.11.0 |
 | <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | ~> 2.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.20 |
@@ -26,7 +26,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.36.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.36.0 |
 | <a name="provider_helm"></a> [helm](#provider\_helm) | 2.11.0 |
 | <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | 3.0.1 |
 
@@ -34,8 +34,8 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_gitlab_policy"></a> [gitlab\_policy](#module\_gitlab\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | v5.34.0 |
-| <a name="module_gitlab_role"></a> [gitlab\_role](#module\_gitlab\_role) | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | v5.34.0 |
+| <a name="module_gitlab_policy"></a> [gitlab\_policy](#module\_gitlab\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | v6.4.0 |
+| <a name="module_gitlab_role"></a> [gitlab\_role](#module\_gitlab\_role) | terraform-aws-modules/iam/aws//modules/iam-role | v6.4.0 |
 | <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.1.0 |
 
 ## Resources
@@ -52,9 +52,9 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 | [kubernetes_secret_v1.redis](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [kubernetes_secret_v1.registry_postgres](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [kubernetes_secret_v1.smtp](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
-| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/eks_cluster) | data source |
-| [aws_iam_policy_document.s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/iam_policy_document) | data source |
-| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/5.36.0/docs/data-sources/region) | data source |
+| [aws_eks_cluster.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster) | data source |
+| [aws_iam_policy_document.s3_bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
@@ -88,4 +88,4 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 | <a name="output_buckets"></a> [buckets](#output\_buckets) | List of buckets created |
 | <a name="output_role_arn"></a> [role\_arn](#output\_role\_arn) | ARN of IAM role |
 | <a name="output_role_name"></a> [role\_name](#output\_role\_name) | Name of IAM role |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
diff --git a/main.tf b/main.tf
index 089eb3b..1f345cf 100644
--- a/main.tf
+++ b/main.tf
@@ -147,7 +147,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:ListBucket"]
     resources = ["arn:aws:s3:::${each.value}"]
@@ -158,7 +158,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:PutObject", "s3:GetObject"]
     resources = ["arn:aws:s3:::${each.value}/*"]
@@ -169,7 +169,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:DeleteObject"]
     resources = ["arn:aws:s3:::${each.value}/*"]
@@ -180,7 +180,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:PutObjectAcl"]
     resources = ["arn:aws:s3:::${each.value}/*"]
@@ -191,7 +191,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:GetObjectAcl"]
     resources = ["arn:aws:s3:::${each.value}/*"]
@@ -202,7 +202,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:ListBucketMultipartUploads"]
     resources = ["arn:aws:s3:::${each.value}"]
@@ -213,7 +213,7 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
     effect = "Allow"
     principals {
       type        = "AWS"
-      identifiers = [module.gitlab_role.iam_role_arn]
+      identifiers = [module.gitlab_role.arn]
     }
     actions   = ["s3:ListMultipartUploadParts"]
     resources = ["arn:aws:s3:::${each.value}/*"]
@@ -265,7 +265,7 @@ resource "helm_release" "gitlab" {
 
   set {
     name  = "global.serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
-    value = module.gitlab_role.iam_role_arn
+    value = module.gitlab_role.arn
   }
 
   depends_on = [
@@ -278,7 +278,7 @@ resource "helm_release" "gitlab" {
 
 module "gitlab_policy" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "v5.34.0"
+  version = "v6.4.0"
 
   name        = "gitlab-role-policy"
   description = "Policy for GitLab role"
@@ -288,20 +288,22 @@ module "gitlab_policy" {
 }
 
 module "gitlab_role" {
-  source                 = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
-  version                = "v5.34.0"
-  create_role            = true
-  allow_self_assume_role = false
-  role_description       = "Gitlab Role to access AWS resources"
-  role_name              = "${var.release_name}-${var.role_suffix}"
-  role_policy_arns = [
-    module.gitlab_policy.arn
-  ]
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role"
+  version = "v6.4.0"
+
+  enable_oidc = true
+  name        = "${var.release_name}-${var.role_suffix}"
+  description = "Gitlab Role to access AWS resources"
+
+  oidc_provider_urls     = [data.aws_eks_cluster.eks.identity[0].oidc[0].issuer]
+  oidc_wildcard_subjects = ["system:serviceaccount:${local.release_namespace}:gitlab*"]
+  oidc_audiences         = ["[sts.amazonaws.com](http://sts.amazonaws.com)"]
 
-  provider_url                   = data.aws_eks_cluster.eks.identity[0].oidc[0].issuer
-  oidc_subjects_with_wildcards   = ["system:serviceaccount:${local.release_namespace}:gitlab*"]
-  oidc_fully_qualified_audiences = ["sts.amazonaws.com"]
-  tags                           = var.tags
+  policies = {
+    gitlab-role-policy = module.gitlab_policy.arn
+  }
+
+  tags = var.tags
 
   depends_on = [
     module.gitlab_policy
diff --git a/outputs.tf b/outputs.tf
index 153c179..a8ea634 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,11 +1,11 @@
 output "role_name" {
   description = "Name of IAM role"
-  value       = module.gitlab_role.iam_role_name
+  value       = module.gitlab_role.arn
 }
 
 output "role_arn" {
   description = "ARN of IAM role"
-  value       = module.gitlab_role.iam_role_arn
+  value       = module.gitlab_role.arn
 
 }
 
diff --git a/versions.tf b/versions.tf
index 20bdfb8..1e6cd2a 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.36.0"
+      version = ">= 6.0"
     }
     helm = {
       source  = "hashicorp/helm"

From 304e2338ee74f08ffc21d7fbfd5f64d32ce57e70 Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Fri, 13 Mar 2026 12:27:03 +0200
Subject: [PATCH 5/7] chore: Do not add suffix to role

---
 main.tf | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 1f345cf..c945901 100644
--- a/main.tf
+++ b/main.tf
@@ -291,9 +291,10 @@ module "gitlab_role" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role"
   version = "v6.4.0"
 
-  enable_oidc = true
-  name        = "${var.release_name}-${var.role_suffix}"
-  description = "Gitlab Role to access AWS resources"
+  enable_oidc     = true
+  name            = "${var.release_name}-${var.role_suffix}"
+  use_name_prefix = false
+  description     = "Gitlab Role to access AWS resources"
 
   oidc_provider_urls     = [data.aws_eks_cluster.eks.identity[0].oidc[0].issuer]
   oidc_wildcard_subjects = ["system:serviceaccount:${local.release_namespace}:gitlab*"]

From 44cba9a1c390dc258e3d3818d00f6d1c235c86ab Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Sun, 15 Mar 2026 13:26:37 +0200
Subject: [PATCH 6/7] chore: Upgrade S3 module

---
 README.md | 2 +-
 main.tf   | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 9c8ba93..6e91499 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,7 @@ In the above diagram, you can see the components and their relations (PostgreSQL
 |------|--------|---------|
 | <a name="module_gitlab_policy"></a> [gitlab\_policy](#module\_gitlab\_policy) | terraform-aws-modules/iam/aws//modules/iam-policy | v6.4.0 |
 | <a name="module_gitlab_role"></a> [gitlab\_role](#module\_gitlab\_role) | terraform-aws-modules/iam/aws//modules/iam-role | v6.4.0 |
-| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 4.1.0 |
+| <a name="module_s3_bucket"></a> [s3\_bucket](#module\_s3\_bucket) | terraform-aws-modules/s3-bucket/aws | 5.10.0 |
 
 ## Resources
 
diff --git a/main.tf b/main.tf
index c945901..d6c8317 100644
--- a/main.tf
+++ b/main.tf
@@ -223,10 +223,9 @@ data "aws_iam_policy_document" "s3_bucket_policy" {
 module "s3_bucket" {
   for_each = local.buckets_list
   source   = "terraform-aws-modules/s3-bucket/aws"
-  version  = "4.1.0"
+  version  = "5.10.0"
 
   bucket        = each.value
-  acl           = null
   force_destroy = false
 
   versioning = {
@@ -298,7 +297,7 @@ module "gitlab_role" {
 
   oidc_provider_urls     = [data.aws_eks_cluster.eks.identity[0].oidc[0].issuer]
   oidc_wildcard_subjects = ["system:serviceaccount:${local.release_namespace}:gitlab*"]
-  oidc_audiences         = ["[sts.amazonaws.com](http://sts.amazonaws.com)"]
+  oidc_audiences         = ["sts.amazonaws.com"]
 
   policies = {
     gitlab-role-policy = module.gitlab_policy.arn

From 8f56a862590ab7f2140d18fde22e3c34c661ab99 Mon Sep 17 00:00:00 2001
From: Mykhailo Babych <mykhailo.babych@nmi.com>
Date: Sun, 15 Mar 2026 19:04:04 +0200
Subject: [PATCH 7/7] chore: Update examples for S3 usage

---
 examples/README.md   | 11 ++++++++---
 examples/main.tf     |  4 ++--
 examples/versions.tf | 25 ++++++++++++++++++++++++-
 3 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/examples/README.md b/examples/README.md
index fc4890b..2de153a 100644
--- a/examples/README.md
+++ b/examples/README.md
@@ -1,9 +1,14 @@
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.0 |
+| <a name="requirement_helm"></a> [helm](#requirement\_helm) | 2.11.0 |
+| <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | ~> 2.0 |
+| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | >= 2.20 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.9 |
 
 ## Providers
 
@@ -26,4 +31,4 @@ No inputs.
 ## Outputs
 
 No outputs.
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- END_TF_DOCS -->
diff --git a/examples/main.tf b/examples/main.tf
index 0a54ede..23aff72 100644
--- a/examples/main.tf
+++ b/examples/main.tf
@@ -40,7 +40,7 @@ module "gitlab" {
   "lifecycle_rule": [
     {
       "id": "log",
-      "enabled": true,
+      "status": "Enabled",
       "expiration": {
         "days": 30
       }
@@ -53,7 +53,7 @@ EOF
   "lifecycle_rule": [
     {
       "id": "log",
-      "enabled": true,
+      "status": "Enabled",
       "noncurrent_version_transition": [
         {
           "days": 30,
diff --git a/examples/versions.tf b/examples/versions.tf
index 7117131..1e6cd2a 100644
--- a/examples/versions.tf
+++ b/examples/versions.tf
@@ -1,3 +1,26 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.11.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = ">= 2.20"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9"
+    }
+    kubectl = {
+      source  = "alekc/kubectl"
+      version = "~> 2.0"
+    }
+  }
 }