fix: modify the assume role conditional for environment

Author: meysam81

infra/aws-github-oidc/main.tf

@@ -2,12 +2,6 @@ data "tls_certificate" "oidc_thumbprint" {
   url = "https://token.actions.githubusercontent.com"
 }
 
-resource "aws_iam_openid_connect_provider" "github_actions" {
-  url             = "https://token.actions.githubusercontent.com"
-  client_id_list  = ["sts.amazonaws.com"]
-  thumbprint_list = [data.tls_certificate.oidc_thumbprint.certificates[0].sha1_fingerprint]
-}
-
 data "aws_iam_policy_document" "assume_role" {
   statement {
     actions = [
@@ -23,7 +17,13 @@ data "aws_iam_policy_document" "assume_role" {
     condition {
       test     = "StringEquals"
       variable = "token.actions.githubusercontent.com:sub"
-      values   = ["repo:developer-friendly/aws-lambda-opentofu-github-actions:ref:refs/heads/main"]
+      values   = ["repo:developer-friendly/aws-lambda-opentofu-github-actions:environment:${var.environment_name}"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
     }
   }
 }
@@ -40,6 +40,14 @@ data "aws_iam_policy_document" "lambda_policy" {
   }
 }
 
+resource "aws_iam_openid_connect_provider" "github_actions" {
+  url            = "https://token.actions.githubusercontent.com"
+  client_id_list = ["sts.amazonaws.com"]
+  thumbprint_list = [
+    data.tls_certificate.oidc_thumbprint.certificates[0].sha1_fingerprint,
+  ]
+}
+
 resource "aws_iam_role" "this" {
   name               = "github-actions"
   assume_role_policy = data.aws_iam_policy_document.assume_role.json

infra/aws-github-oidc/outputs.tf

@@ -1,3 +1,7 @@
 output "role_arn" {
   value = aws_iam_role.this.arn
 }
+
+output "environment_name" {
+  value = var.environment_name
+}

infra/aws-github-oidc/variables.tf

@@ -0,0 +1,4 @@
+variable "environment_name" {
+  type    = string
+  default = "prod"
+}

infra/repository/main.tf

@@ -1,15 +1,21 @@
-data "github_user" "current" {
-  username = ""
+data "aws_region" "current" {}
+
+resource "github_branch_protection" "this" {
+  repository_id = "aws-lambda-opentofu-github-actions"
+
+  pattern          = "main"
+  enforce_admins   = true
+  allows_deletions = false
+
+  force_push_bypassers = [
+    "/meysam81",
+  ]
 }
 
 resource "github_repository_environment" "this" {
-  environment = "prod"
+  environment = var.environment_name
   repository  = "aws-lambda-opentofu-github-actions"
 
-  reviewers {
-    users = [data.github_user.current.id]
-  }
-
   prevent_self_review = false
 
   deployment_branch_policy {
@@ -25,3 +31,11 @@ resource "github_actions_environment_secret" "this" {
   secret_name     = "AWS_IAM_ROLE"
   plaintext_value = var.aws_iam_role
 }
+
+resource "github_actions_environment_variable" "this" {
+  repository  = "aws-lambda-opentofu-github-actions"
+  environment = var.environment_name
+
+  variable_name = "AWS_REGION"
+  value         = data.aws_region.current.name
+}

infra/repository/terragrunt.hcl

@@ -3,7 +3,8 @@ include "root" {
 }
 
 inputs = {
-  aws_iam_role = dependency.github_oidc.outputs.role_arn
+  aws_iam_role     = dependency.github_oidc.outputs.role_arn
+  environment_name = dependency.github_oidc.outputs.environment_name
 }
 
 dependency "github_oidc" {

infra/repository/variables.tf

@@ -2,3 +2,8 @@ variable "aws_iam_role" {
   type        = string
   description = "The ARN of the IAM role to assume"
 }
+
+variable "environment_name" {
+  type     = string
+  nullable = false
+}