From 441295d1406b28b51121ff0f37601e2e95179195 Mon Sep 17 00:00:00 2001
From: Julien Dessaux <julien.dessaux@adyxax.org>
Date: Sat, 12 Apr 2025 07:39:57 +0200
Subject: [PATCH 1/5] feat(module): add output variable `arn` and deprecate
 output variable `iam_role_arn`

---
 CHANGELOG.md | 12 +++++++++++-
 README.md    |  2 +-
 outputs.tf   |  7 +++++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d511684..b005c50 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,8 +2,18 @@
 
 All notable changes to this project will be documented in this file.
 
+## 1.1.0 - 2025-04-12
+
+### Added
+
+- Added output variable `arn`.
+
+### Deprecated
+
+- Deprecated output variable `iam_role_arn`. Use `arn` instead.
+
 ## 1.0.0 - 2025-04-11
 
 ### Added
 
-- initial import
+- Initial import.
diff --git a/README.md b/README.md
index af5a1f6..e7ca711 100644
--- a/README.md
+++ b/README.md
@@ -11,7 +11,7 @@ continuous integration tasks on AWS.
 
 ``` hcl
 module "aws_iam_role" {
-  source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.0.0"
+  source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.1.0"
 
   name            = local.name
   policy_statements = jsonencode([
diff --git a/outputs.tf b/outputs.tf
index f3ef649..ebfd120 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,3 +1,10 @@
+output "arn" {
+  description = "AWS IAM role ARN."
+  sensitive   = false
+  value       = aws_iam_role.main.id
+}
+
+# Deprecated since 1.1.0
 output "iam_role_arn" {
   description = "AWS IAM role ARN."
   sensitive   = false

From 757343409ee1f08eea26034aadb5c55b3b62a7bc Mon Sep 17 00:00:00 2001
From: Julien Dessaux <julien.dessaux@adyxax.org>
Date: Sat, 12 Apr 2025 07:56:07 +0200
Subject: [PATCH 2/5] chore(infrastructure): bootstrap CI

---
 .forgejo/workflows/main.yaml            | 16 ++++++++++++++++
 infrastructure/tofu/.gitignore          |  1 +
 infrastructure/tofu/.terraform.lock.hcl | 21 +++++++++++++++++++++
 infrastructure/tofu/main.tf             | 19 +++++++++++++++++++
 infrastructure/tofu/providers.tf        | 24 ++++++++++++++++++++++++
 main.tftest.hcl                         | 15 +++++++++++++++
 6 files changed, 96 insertions(+)
 create mode 100644 .forgejo/workflows/main.yaml
 create mode 100644 infrastructure/tofu/.gitignore
 create mode 100644 infrastructure/tofu/.terraform.lock.hcl
 create mode 100644 infrastructure/tofu/main.tf
 create mode 100644 infrastructure/tofu/providers.tf
 create mode 100644 main.tftest.hcl

diff --git a/.forgejo/workflows/main.yaml b/.forgejo/workflows/main.yaml
new file mode 100644
index 0000000..2e4bd1f
--- /dev/null
+++ b/.forgejo/workflows/main.yaml
@@ -0,0 +1,16 @@
+---
+name: 'main'
+
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  test:
+    runs-on: 'self-hosted'
+    steps:
+      - uses: 'actions/checkout@v4'
+      - uses: "https://git.adyxax.org/adyxax/action-tofu-aws-test@1.0.0"
+        with:
+          aws-access-key-id: "${{ vars.AWS_ACCESS_KEY_ID }}"
+          aws-access-key-secret: "${{ secrets.AWS_ACCESS_KEY_SECRET }}"
diff --git a/infrastructure/tofu/.gitignore b/infrastructure/tofu/.gitignore
new file mode 100644
index 0000000..a8c8222
--- /dev/null
+++ b/infrastructure/tofu/.gitignore
@@ -0,0 +1 @@
+!.terraform.lock.hcl
diff --git a/infrastructure/tofu/.terraform.lock.hcl b/infrastructure/tofu/.terraform.lock.hcl
new file mode 100644
index 0000000..9ee3c83
--- /dev/null
+++ b/infrastructure/tofu/.terraform.lock.hcl
@@ -0,0 +1,21 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/hashicorp/aws" {
+  version     = "5.91.0"
+  constraints = "5.91.0"
+  hashes = [
+    "h1:g+uDHz6bZ36QaxoKWmJEYGh7OP5RAE5MPbxLohzcU18=",
+    "h1:qw1Sp5py+7rRwzHgHNJvgYTeTkBnPHY7WercO1BsOh0=",
+    "zh:057e6cb85e3efe2c30ef5ca47cc47abc8217e2e0dddce2e92a8d2d6f18b6cee6",
+    "zh:0f15d3f599e07307ac9771c602dcaaf0c46dd259649da985cb3cb80a7a647cea",
+    "zh:187086070cc878ab0a27163939516983e3efae65ebff78dc3466619cdf978dee",
+    "zh:67a58fc85c630bcc6c772f573813caabe6c9af291c71c7207590fc4792e4d94e",
+    "zh:68abb9382928ce29c0f3dd9a75b41ad2a453f3a46330f484d1ea858589146c1b",
+    "zh:772134ba713e879e5b70d614d08a6650f156e7a3fa724d538bfa85632b1ed639",
+    "zh:bf67439e47cf6720dcec7a1e2988d6c10c56d7eea69bb1ecff1b22d6bb63a36d",
+    "zh:bfd0b91dc4ae338eb79ec41bede5eed7a0740380bffbdfbda362f7ed08e0e2ad",
+    "zh:ca3c3313cd4971850da45ce4337b027a804389db740c310ba637bc0a86775eef",
+    "zh:d75a8ec54a4783c25cb806b887f0d3c67cded08db8c496fd9cf831791e4c8482",
+  ]
+}
diff --git a/infrastructure/tofu/main.tf b/infrastructure/tofu/main.tf
new file mode 100644
index 0000000..37037f8
--- /dev/null
+++ b/infrastructure/tofu/main.tf
@@ -0,0 +1,19 @@
+locals {
+  name = "tofu-module-aws-iam-role"
+}
+
+module "aws_iam_ci_user" {
+  providers = {
+    aws.core  = aws.all["core"]
+    aws.root  = aws.all["root"]
+    aws.tests = aws.all["tests"]
+  }
+  source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.0"
+
+  name = local.name
+  tests_policy_statements = jsonencode([{
+    Action   = "iam:*"
+    Effect   = "Allow"
+    Resource = "arn:aws:iam::*:role/tftest",
+  }])
+}
diff --git a/infrastructure/tofu/providers.tf b/infrastructure/tofu/providers.tf
new file mode 100644
index 0000000..8b42979
--- /dev/null
+++ b/infrastructure/tofu/providers.tf
@@ -0,0 +1,24 @@
+terraform {
+  backend "s3" {
+    bucket         = "adyxax-tofu-states"
+    dynamodb_table = "tofu-states"
+    key            = "repositories/${local.name}"
+    profile        = "core"
+    region         = "eu-west-3"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.91.0"
+    }
+  }
+}
+
+provider "aws" {
+  for_each = toset(["core", "root", "tests"])
+
+  alias = "all"
+  default_tags { tags = { "managed-by" = "tofu" } }
+  profile = each.key
+  region  = "eu-west-3"
+}
diff --git a/main.tftest.hcl b/main.tftest.hcl
new file mode 100644
index 0000000..c21db0b
--- /dev/null
+++ b/main.tftest.hcl
@@ -0,0 +1,15 @@
+provider "aws" {
+  profile = "tests"
+  region  = "eu-west-3"
+}
+
+run "main" {
+  assert {
+    condition     = output.arn != null
+    error_message = "invalid IAM role ARN"
+  }
+}
+
+variables {
+  name = "tftest"
+}

From eb54320d07721e441455c07a17ecc56578c487fa Mon Sep 17 00:00:00 2001
From: Julien Dessaux <julien.dessaux@adyxax.org>
Date: Sat, 12 Apr 2025 08:18:05 +0200
Subject: [PATCH 3/5] chore(infrastructure): upgrade
 tofu-module-aws-iam-ci-user to 1.0.1

---
 infrastructure/tofu/main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/tofu/main.tf b/infrastructure/tofu/main.tf
index 37037f8..8b5d943 100644
--- a/infrastructure/tofu/main.tf
+++ b/infrastructure/tofu/main.tf
@@ -8,7 +8,7 @@ module "aws_iam_ci_user" {
     aws.root  = aws.all["root"]
     aws.tests = aws.all["tests"]
   }
-  source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.0"
+  source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-ci-user?depth=1&ref=1.0.1"
 
   name = local.name
   tests_policy_statements = jsonencode([{

From 3be1738e040a1b3b472f62985c37e2125de037a9 Mon Sep 17 00:00:00 2001
From: Julien Dessaux <julien.dessaux@adyxax.org>
Date: Sat, 12 Apr 2025 08:29:44 +0200
Subject: [PATCH 4/5] chore(infrastructure): rename test role to avoid
 collision with tofu-module-aws-iam-ci-user

---
 infrastructure/tofu/main.tf | 2 +-
 main.tftest.hcl             | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/infrastructure/tofu/main.tf b/infrastructure/tofu/main.tf
index 8b5d943..0d11105 100644
--- a/infrastructure/tofu/main.tf
+++ b/infrastructure/tofu/main.tf
@@ -14,6 +14,6 @@ module "aws_iam_ci_user" {
   tests_policy_statements = jsonencode([{
     Action   = "iam:*"
     Effect   = "Allow"
-    Resource = "arn:aws:iam::*:role/tftest",
+    Resource = "arn:aws:iam::*:role/tftest-role",
   }])
 }
diff --git a/main.tftest.hcl b/main.tftest.hcl
index c21db0b..68f4c3b 100644
--- a/main.tftest.hcl
+++ b/main.tftest.hcl
@@ -11,5 +11,5 @@ run "main" {
 }
 
 variables {
-  name = "tftest"
+  name = "tftest-role"
 }

From d9848c574efcd291ac840d372748a520e8fb6027 Mon Sep 17 00:00:00 2001
From: Julien Dessaux <julien.dessaux@adyxax.org>
Date: Fri, 25 Apr 2025 14:05:30 +0200
Subject: [PATCH 5/5] doc(module): document assume role policy behavior

---
 README.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e7ca711..bfc8605 100644
--- a/README.md
+++ b/README.md
@@ -13,7 +13,7 @@ continuous integration tasks on AWS.
 module "aws_iam_role" {
   source = "git::ssh://git@git.adyxax.org/adyxax/tofu-module-aws-iam-role?depth=1&ref=1.1.0"
 
-  name            = local.name
+  name              = local.name
   policy_statements = jsonencode([
     {
       Action   = "acm:*"
@@ -24,6 +24,11 @@ module "aws_iam_role" {
 }
 ```
 
+## Assume role policy
+
+This role is designed to be used with AWS Identity Center and provisions a trust
+relationship to the root organization account.
+
 ## Policies
 
 The IAM role is granted the following permissions on the AWS account: