chore(infrastructure): upgrade tofu-module-aws-iam-ci-user to 1.1.0

chore(infrastructure): upgrade aws provider to 6.2.0
doc(module): document assume role policy behavior
2025-07-11 10:18:13 +02:00 · 2025-07-11 10:14:27 +02:00 · 2025-04-26 15:10:46 +02:00 · 2025-04-12 08:29:44 +02:00 · 2025-04-12 08:18:05 +02:00 · 2025-04-12 07:56:07 +02:00
9 changed files with 148 additions and 3 deletions
--- a/.forgejo/workflows/main.yaml
+++ b/.forgejo/workflows/main.yaml
@ -0,0 +1,16 @@
+---
+name: 'main'
+
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: 'self-hosted'
+    steps:
+      - uses: 'actions/checkout@v4'
+      - uses: "https://git.adyxax.org/adyxax/action-tofu-aws-test@1.0.0"
+        with:
+          aws-access-key-id: "${{ vars.AWS_ACCESS_KEY_ID }}"
+          aws-access-key-secret: "${{ secrets.AWS_ACCESS_KEY_SECRET }}"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,8 +2,18 @@

 All notable changes to this project will be documented in this file.

+## 1.1.0 - 2025-04-12
+
+### Added
+
+- Added output variable `arn`.
+
+### Deprecated
+
+- Deprecated output variable `iam_role_arn`. Use `arn` instead.
+
 ## 1.0.0 - 2025-04-11

 ### Added

- initial import
+- Initial import.
--- a/README.md
+++ b/README.md
@ -11,7 +11,7 @@ continuous integration tasks on AWS.

 ``` hcl
 module "aws_iam_role" {
-  source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.0.0"
+  source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.1.0"

  name              = local.name
  policy_statements = jsonencode([
@ -24,6 +24,11 @@ module "aws_iam_role" {
 }
 ```

+## Assume role policy
+
+This role is designed to be used with AWS Identity Center and provisions a trust
+relationship to the root organization account.
+
 ## Policies

 The IAM role is granted the following permissions on the AWS account:
--- a/infrastructure/tofu/.gitignore
+++ b/infrastructure/tofu/.gitignore
@ -0,0 +1 @@
+!.terraform.lock.hcl
--- a/infrastructure/tofu/.terraform.lock.hcl
+++ b/infrastructure/tofu/.terraform.lock.hcl
@ -0,0 +1,36 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/adyxax/forgejo" {
+  version     = "1.1.0"
+  constraints = "1.1.0"
+  hashes = [
+    "h1:xa2K1rn2OzQofizev01UBKEgq4WHo3EM5/fiPCxFL/E=",
+    "zh:0a9fb11ae6b14abca1a5376b3c83182586e8735e67aa863b223737af1edb9802",
+    "zh:16a86c5a4b394f04ab14992b15ee812daee38c88570a6431a9dd7c0b961c3166",
+    "zh:2c2f2703fad8d682d74832ea650cb58efbaf7b63e67c57f4344561ab529c81de",
+    "zh:38326430e210fb899981a5d99b3dd17f0040356ef1879e0a3fe96c9d13d27b4b",
+    "zh:7757c16957287f8e1cca39d349d5c219fc31ef8ce55b60db9f83099e10cd3a93",
+    "zh:890df766e9b839623b1f0437355032a3c006226a6c200cd911e15ee1a9014e9f",
+    "zh:b91bd40d90199ff8c811e241f94931a540d571807743dcd9768625d177c38e29",
+    "zh:efb6d4c30e3412a727c63af9d04ed4b24dfdde251d18343d62a45ae967e4f6ab",
+    "zh:f5357ef185a3183f01555371602471aeadc340a16b1f1355e706fedbfd1f9dad",
+  ]
+}
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "6.2.0"
+  constraints = "6.2.0"
+  hashes = [
+    "h1:UcBl0SyNxOTHOa3Ske3ClmzA7V1S7e/I4+29DLGe85A=",
+    "zh:26072ed06da98bfeff0a9ef54edd215c7af005658a670e098dc6445c10bf2b55",
+    "zh:39aba613926547b289128a8c37baa0b8762dce974ed0e5859c1fd24afaa753b0",
+    "zh:3a97a68258a7cb707ae571a43cfb44142c00a4543689fea4dcbe2e9db2336310",
+    "zh:3af54af122ffc4477ee23dc855b27fdeb3682fff09ac8394b37eac3164faaa65",
+    "zh:4ab39e61f699b9189386b037ba8a6725634e99115a6d24946baae2f461ce519e",
+    "zh:98455edb4f11267c144f15eb36a25adec3121ac8af34754ebfac9e6e00fd5ec7",
+    "zh:b51e505cd73ddf015ce765f4df5ddc5f7e5a42eb596f57bcf0f1eae5338d4efa",
+    "zh:c132a00c0495ae62a14affd1f41bcd7d11f91cf559c6229aa168f326938aedbe",
+    "zh:e14ddc80f4ca1d394889e27d9188f4368ac7d3437e6a10490d1314da66039bf4",
+  ]
+}
--- a/infrastructure/tofu/main.tf
+++ b/infrastructure/tofu/main.tf
@ -0,0 +1,23 @@
+locals {
+  name = "tofu-module-aws-iam-role"
+}
+
+module "aws_iam_ci_user" {
+  providers = {
+    aws.core  = aws.all["core"]
+    aws.root  = aws.all["root"]
+    aws.tests = aws.all["tests"]
+  }
+  source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.1.0"
+
+  forgejo_repository = {
+    name  = local.name
+    owner = "adyxax"
+  }
+  name = local.name
+  tests_policy_statements = jsonencode([{
+    Action   = "iam:*"
+    Effect   = "Allow"
+    Resource = "arn:aws:iam::*:role/tftest-role",
+  }])
+}
--- a/infrastructure/tofu/providers.tf
+++ b/infrastructure/tofu/providers.tf
@ -0,0 +1,32 @@
+terraform {
+  backend "s3" {
+    bucket         = "adyxax-tofu-states"
+    dynamodb_table = "tofu-states"
+    key            = "repositories/${local.name}"
+    profile        = "core"
+    region         = "eu-west-3"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "6.2.0"
+    }
+    forgejo = {
+      source  = "adyxax/forgejo"
+      version = "1.1.0"
+    }
+  }
+}
+
+provider "aws" {
+  for_each = toset(["core", "root", "tests"])
+
+  alias = "all"
+  default_tags { tags = { "managed-by" = "tofu" } }
+  profile = each.key
+  region  = "eu-west-3"
+}
+
+provider "forgejo" {
+  base_uri = "https://git.adyxax.org/"
+}
--- a/main.tftest.hcl
+++ b/main.tftest.hcl
@ -0,0 +1,15 @@
+provider "aws" {
+  profile = "tests"
+  region  = "eu-west-3"
+}
+
+run "main" {
+  assert {
+    condition     = output.arn != null
+    error_message = "invalid IAM role ARN"
+  }
+}
+
+variables {
+  name = "tftest-role"
+}
--- a/outputs.tf
+++ b/outputs.tf
@ -1,3 +1,10 @@
+output "arn" {
+  description = "AWS IAM role ARN."
+  sensitive   = false
+  value       = aws_iam_role.main.id
+}
+
+# Deprecated since 1.1.0
 output "iam_role_arn" {
  description = "AWS IAM role ARN."
  sensitive   = false
Author	SHA1	Message	Date
Julien Dessaux	271ced8520	chore(infrastructure): upgrade tofu-module-aws-iam-ci-user to 1.1.0 All checks were successful main / test (push) Successful in 1m54s Details	2025-07-11 10:18:13 +02:00
Julien Dessaux	d4f08aa3ba	chore(infrastructure): upgrade aws provider to 6.2.0	2025-07-11 10:14:27 +02:00
Julien Dessaux	d9848c574e	doc(module): document assume role policy behavior All checks were successful main / test (push) Successful in 53s Details	2025-04-26 15:10:46 +02:00
Julien Dessaux	3be1738e04	chore(infrastructure): rename test role to avoid collision with tofu-module-aws-iam-ci-user All checks were successful main / test (push) Successful in 52s Details	2025-04-12 08:29:44 +02:00
Julien Dessaux	eb54320d07	chore(infrastructure): upgrade tofu-module-aws-iam-ci-user to 1.0.1	2025-04-12 08:18:05 +02:00
Julien Dessaux	757343409e	chore(infrastructure): bootstrap CI All checks were successful main / test (push) Successful in 48s Details	2025-04-12 07:56:07 +02:00
Julien Dessaux	441295d140	feat(module): add output variable `arn` and deprecate output variable `iam_role_arn`	2025-04-12 07:56:02 +02:00