MaterializeInc · jshiwamV · Nov 6, 2025 · Oct 20, 2025 · Oct 20, 2025 · Oct 20, 2025
diff --git a/.github/setup/aws/.terraform.lock.hcl b/.github/setup/aws/.terraform.lock.hcl
diff --git a/.github/setup/aws/backend.tf b/.github/setup/aws/backend.tf
@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket  = "materialize-terraform-self-managed-state"
+    key     = "github-setup/oidc/aws/terraform.tfstate"
+    region  = "us-east-1"
+    encrypt = true
+    # profile = "" # Add your profile name here since backend block doesn't accept variables
+  }
+}
diff --git a/.github/setup/aws/main.tf b/.github/setup/aws/main.tf
@@ -0,0 +1,35 @@
+# IAM Role for GitHub Actions
+resource "aws_iam_role" "github_actions" {
+  name                 = "mz-self-managed-github-actions-role"
+  max_session_duration = var.max_session_duration
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Effect = "Allow"
+        Principal = {
+          Federated = var.oidc_provider_arn
+        }
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+          }
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" = "repo:MaterializeInc/materialize-terraform-self-managed:*"
+          }
+        }
+      }
+    ]
+  })
+
+  tags = {
+    Name = "materialize-terraform-self-managed-github-actions-role"
+  }
+}
+
+# Admin policy for GitHub Actions (simplified for testing)
+resource "aws_iam_role_policy_attachment" "github_actions_admin" {
+  role       = aws_iam_role.github_actions.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
diff --git a/.github/setup/aws/outputs.tf b/.github/setup/aws/outputs.tf
@@ -0,0 +1,10 @@
+# Outputs for GitHub Actions configuration
+output "github_actions_role_arn" {
+  description = "ARN of the IAM role for GitHub Actions"
+  value       = aws_iam_role.github_actions.arn
+}
+
+output "github_actions_role_name" {
+  description = "Name of the IAM role for GitHub Actions"
+  value       = aws_iam_role.github_actions.name
+}
diff --git a/.github/setup/aws/variables.tf b/.github/setup/aws/variables.tf
@@ -0,0 +1,16 @@
+variable "profile" {
+  description = "The AWS CLI profile to use for authentication"
+  type        = string
+  default     = "default"
+}
+
+variable "oidc_provider_arn" {
+  description = "The ARN of the OIDC provider for GitHub Actions"
+  type        = string
+}
+
+variable "max_session_duration" {
+  description = "The maximum session duration for the IAM role"
+  type        = number
+  default     = 28800 # 8 hours
+}
diff --git a/.github/setup/aws/versions.tf b/.github/setup/aws/versions.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = "us-east-1"
+}
diff --git a/.github/setup/azure/.terraform.lock.hcl b/.github/setup/azure/.terraform.lock.hcl
diff --git a/.github/setup/azure/accessTokenLifeTime.sh b/.github/setup/azure/accessTokenLifeTime.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+# Exit early on error/unset var/pipe failure
+set -euo pipefail
+
+# 1. Create a 4-hour token lifetime policy and capture the policy ID
-# 1. Create a 4-hour token lifetime policy and capture the policy ID
+#!/usr/bin/env bash
+set -euo pipefail
+
+# 1. Create a 4-hour token lifetime policy and capture the policy ID
-# 1. Create a 4-hour token lifetime policy and capture the policy ID
+#!/usr/bin/env bash
+set -euo pipefail
+
+# 1. Create a 4-hour token lifetime policy and capture the policy ID
+POLICY_RESPONSE=$(az rest --method POST \
+  --url "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies" \
+  --headers "Content-Type=application/json" \
+  --body '{
+    "definition": ["{\"TokenLifetimePolicy\":{\"Version\":1,\"AccessTokenLifetime\":\"04:00:00\"}}"],
+    "displayName": "ExtendedAccessTokenPolicy",
+    "isOrganizationDefault": false
+  }')
+
+# 2. Extract policy ID and get application ID
+POLICY_ID=$(echo $POLICY_RESPONSE | jq -r '.id')
+APP_ID=$(az ad app list --display-name "mz-self-managed-github-actions" --query "[0].id" -o tsv)
+
+echo "Policy ID: $POLICY_ID"
+echo "Application ID: $APP_ID"
+
+# 3. Assign policy to application
+az rest --method POST \
+  --url "https://graph.microsoft.com/v1.0/applications/${APP_ID}/tokenLifetimePolicies/\$ref" \
+  --headers "Content-Type=application/json" \
+  --body "{\"@odata.id\": \"https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/${POLICY_ID}\"}"
+
+echo "✅ Token lifetime policy applied successfully!"
diff --git a/.github/setup/azure/backend.tf b/.github/setup/azure/backend.tf
@@ -0,0 +1,9 @@
+terraform {
+  backend "s3" {
+    bucket  = "materialize-terraform-self-managed-state"
+    key     = "github-setup/oidc/azure/terraform.tfstate"
+    region  = "us-east-1"
+    encrypt = true
+    # profile = "" # Add your profile name here since backend block doesn't accept variables
+  }
+}