Fix OIDC trust policy + add permissions boundary for password-set role

Two issues blocking apply:
1. ci-infra OIDC trust only matched ref-based sub claims, but the apply
   job uses `environment: production` which sends environment-based claims.
   Added both formats to the trust condition.
2. password-set IAM role was missing permissions_boundary, which the
   developer boundary requires for all new roles created via CI.

Also reverts v5 pin from #57 since that wasn't the root cause.

Author: Alexanderamiri

.github/workflows/platform-ci.yml

@@ -152,8 +152,7 @@ jobs:
           terraform_version: "1.7"
           terraform_wrapper: false
 
-      # Pinned to v5 — v6 breaks OIDC AssumeRoleWithWebIdentity for this role
-      - uses: aws-actions/configure-aws-credentials@v5
+      - uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra
           aws-region: ${{ env.AWS_REGION }}
@@ -201,8 +200,7 @@ jobs:
           terraform_version: "1.7"
           terraform_wrapper: false
 
-      # Pinned to v5 — v6 breaks OIDC AssumeRoleWithWebIdentity for this role
-      - uses: aws-actions/configure-aws-credentials@v5
+      - uses: aws-actions/configure-aws-credentials@v6
         with:
           role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra
           aws-region: ${{ env.AWS_REGION }}

terraform/platform/iam/main.tf

@@ -162,8 +162,13 @@ resource "aws_iam_role" "ci_infra" {
             "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
           }
           StringLike = {
-            # Main branch ONLY — apply never runs on PRs
-            "token.actions.githubusercontent.com:sub" = "repo:${var.github_org}/platform:ref:refs/heads/main"
+            # Main branch OR production environment — the apply job uses
+            # `environment: production`, which changes the OIDC sub claim
+            # from ref-based to environment-based.
+            "token.actions.githubusercontent.com:sub" = [
+              "repo:${var.github_org}/platform:ref:refs/heads/main",
+              "repo:${var.github_org}/platform:environment:production",
+            ]
           }
         }
       }

terraform/platform/lambdas/main.tf

@@ -533,7 +533,8 @@ resource "aws_iam_role_policy_attachment" "team_provisioner_logs" {
 
 # --- password-set role ---
 resource "aws_iam_role" "password_set" {
-  name = "${var.project}-password-set"
+  name                 = "${var.project}-password-set"
+  permissions_boundary = "arn:aws:iam::${var.aws_account_id}:policy/${var.project}-developer-boundary"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"