From b408996d6e695220ef277d3aa151dfdfb3737bca Mon Sep 17 00:00:00 2001 From: Alexander Amiri Date: Fri, 13 Mar 2026 23:51:35 +0100 Subject: [PATCH] Fix OIDC trust policy + add permissions boundary for password-set role Two issues blocking apply: 1. ci-infra OIDC trust only matched ref-based sub claims, but the apply job uses `environment: production` which sends environment-based claims. Added both formats to the trust condition. 2. password-set IAM role was missing permissions_boundary, which the developer boundary requires for all new roles created via CI. Also reverts v5 pin from #57 since that wasn't the root cause. --- .github/workflows/platform-ci.yml | 6 ++---- terraform/platform/iam/main.tf | 9 +++++++-- terraform/platform/lambdas/main.tf | 3 ++- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/platform-ci.yml b/.github/workflows/platform-ci.yml index 59b6b80..fa22973 100644 --- a/.github/workflows/platform-ci.yml +++ b/.github/workflows/platform-ci.yml @@ -152,8 +152,7 @@ jobs: terraform_version: "1.7" terraform_wrapper: false - # Pinned to v5 — v6 breaks OIDC AssumeRoleWithWebIdentity for this role - - uses: aws-actions/configure-aws-credentials@v5 + - uses: aws-actions/configure-aws-credentials@v6 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra aws-region: ${{ env.AWS_REGION }} @@ -201,8 +200,7 @@ jobs: terraform_version: "1.7" terraform_wrapper: false - # Pinned to v5 — v6 breaks OIDC AssumeRoleWithWebIdentity for this role - - uses: aws-actions/configure-aws-credentials@v5 + - uses: aws-actions/configure-aws-credentials@v6 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra aws-region: ${{ env.AWS_REGION }} diff --git a/terraform/platform/iam/main.tf b/terraform/platform/iam/main.tf index 99cd8c8..ba5dff3 100644 --- a/terraform/platform/iam/main.tf +++ b/terraform/platform/iam/main.tf @@ -162,8 +162,13 @@ resource "aws_iam_role" "ci_infra" { "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com" } StringLike = { - # Main branch ONLY — apply never runs on PRs - "token.actions.githubusercontent.com:sub" = "repo:${var.github_org}/platform:ref:refs/heads/main" + # Main branch OR production environment — the apply job uses + # `environment: production`, which changes the OIDC sub claim + # from ref-based to environment-based. + "token.actions.githubusercontent.com:sub" = [ + "repo:${var.github_org}/platform:ref:refs/heads/main", + "repo:${var.github_org}/platform:environment:production", + ] } } } diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf index e1a0b4d..cd0c12e 100644 --- a/terraform/platform/lambdas/main.tf +++ b/terraform/platform/lambdas/main.tf @@ -533,7 +533,8 @@ resource "aws_iam_role_policy_attachment" "team_provisioner_logs" { # --- password-set role --- resource "aws_iam_role" "password_set" { - name = "${var.project}-password-set" + name = "${var.project}-password-set" + permissions_boundary = "arn:aws:iam::${var.aws_account_id}:policy/${var.project}-developer-boundary" assume_role_policy = jsonencode({ Version = "2012-10-17"