[ELI-731] creating a new role and adding a trust policy for the regression repo

TOEL2 · TOEL2 · commit 14d275e62cd2 · 2026-04-15T14:52:44.000+01:00
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf
@@ -721,6 +721,34 @@ data "aws_iam_policy_document" "github_actions_assume_role" {
   }
 }
 
+# Assume role policy document for GitHub Actions
+data "aws_iam_policy_document" "regression_repo_assume_role" {
+  statement {
+    sid    = "OidcAssumeRoleWithWebIdentity"
+    effect = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type = "Federated"
+      identifiers = [
+        aws_iam_openid_connect_provider.github.arn
+      ]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values = ["repo:${var.github_org}/${var.regression_repo}:*"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values = ["sts.amazonaws.com"]
+    }
+  }
+}
+
 resource "aws_iam_policy" "stream_management" {
   name        = "stream-management"
   description = "Allow GitHub Actions to manage project Firehose delivery streams and Kinesis streams"
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_role.tf b/infrastructure/stacks/iams-developer-roles/github_actions_role.tf
@@ -107,3 +107,20 @@ data "aws_iam_policy_document" "github_actions_iam_bootstrap_assume_role" {
     }
   }
 }
+
+resource "aws_iam_role" "regression_test_role" {
+  name                 = "Eligibility-Signposting-API-E2E-Regression-Tests"
+  description          = "Role for regression testing"
+  permissions_boundary = aws_iam_policy.permissions_boundary.arn
+  path                 = "/service-roles/"
+
+  # Trust policy allowing GitHub Actions to assume the role
+  assume_role_policy = data.aws_iam_policy_document.regression_repo_assume_role.json
+
+  tags = merge(
+    local.tags,
+    {
+      Name = "Eligibility-Signposting-API-E2E-Regression-Tests"
+    }
+  )
+}
diff --git a/infrastructure/stacks/iams-developer-roles/variables.tf b/infrastructure/stacks/iams-developer-roles/variables.tf
@@ -9,3 +9,9 @@ variable "github_repo" {
   description = "GitHub repository"
   type        = string
 }
+
+variable "regression_repo" {
+  default     = "eligibility-signposting-api-regression-tests"
+  description = "GitHub repository"
+  type        = string
+}
