eli-445 adding github bootstrap role

eddalmond1 · eddalmond1 · commit 1d255e5d061b · 2026-02-16T16:32:00.000Z
diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_role.tf b/infrastructure/stacks/iams-developer-roles/github_actions_role.tf
@@ -30,3 +30,64 @@ resource "aws_iam_role" "github_actions" {
     }
   )
 }
+
+
+# GitHub Actions IAM Bootstrap Role
+# It can update the main deployment role's policies but cannot modify itself.
+resource "aws_iam_role" "github_actions_iam_bootstrap" {
+  name                 = "github-actions-iam-bootstrap-role"
+  description          = "Role for GitHub Actions to deploy IAM infrastructure (iams-developer-roles stack only)"
+  permissions_boundary = aws_iam_policy.iam_bootstrap_permissions_boundary.arn
+  path                 = "/service-roles/"
+
+  assume_role_policy = data.aws_iam_policy_document.github_actions_iam_bootstrap_assume_role.json
+
+  tags = merge(
+    local.tags,
+    {
+      Name = "github-actions-iam-bootstrap-role"
+    }
+  )
+}
+
+data "aws_iam_policy_document" "github_actions_iam_bootstrap_assume_role" {
+  statement {
+    sid     = "OidcAssumeRoleForIamBootstrap"
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type = "Federated"
+      identifiers = [
+        aws_iam_openid_connect_provider.github.arn
+      ]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    # Only allow from main branch (and events triggered from main)
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = [
+        "repo:${var.github_org}/${var.github_repo}:ref:refs/heads/main",
+        "repo:${var.github_org}/${var.github_repo}:environment:*",
+      ]
+    }
+
+    # Only allow from the IAM bootstrap and base deployment workflows
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:job_workflow_ref"
+      values   = [
+        "${var.github_org}/${var.github_repo}/.github/workflows/iam-bootstrap-deploy.yaml@*",
+        "${var.github_org}/${var.github_repo}/.github/workflows/base-deploy.yml@*",
+        "${var.github_org}/${var.github_repo}/.github/workflows/cicd-2-publish.yaml@*",
+      ]
+    }
+  }
+}
