From 9c4d956da4e3ac1c32455224671cdd98249f7f4b Mon Sep 17 00:00:00 2001
From: Benettonkkb <benettonkkb1@gmail.com>
Date: Thu, 5 Feb 2026 01:52:20 +0000
Subject: [PATCH] Separate Terraform plan and apply roles for incubator

---
 terraform/aws-gha-oidc-providers.tf | 43 +++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf
index 534abe2..cc906ca 100644
--- a/terraform/aws-gha-oidc-providers.tf
+++ b/terraform/aws-gha-oidc-providers.tf
@@ -9,4 +9,47 @@ module "iam_oidc_gha_incubator" {
   policy_arns = [
     "arn:aws:iam::aws:policy/AdministratorAccess"
   ]
+
+}
+module "iam_oidc_incubator_tf_plan" {
+  source = "./modules/aws-gha-oidc-providers"
+
+  role_name     = "incubator-tf-plan"
+  use_wildcard  = true
+  github_branch = "refs/heads/*" # concerning IAM audit, ok, as it is read-only
+  github_repo   = "hackforla/incubator"
+
+  policy_arns = [
+    "arn:aws:iam::aws:policy/ReadOnlyAccess"
+  ]
+}
+resource "aws_iam_role" "incubator_tf_apply" {
+  name = "incubator-tf-apply"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Principal = {
+          Federated = module.iam_oidc_gha_incubator.provider_arn
+        }
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+          }
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" = "repo:hackforla/incubator:ref:refs/heads/main"
+          }
+        }
+      }
+    ]
+  })
 }
+
+resource "aws_iam_role_policy_attachment" "incubator_tf_apply_admin" {
+  role       = aws_iam_role.incubator_tf_apply.name
+  policy_arn  = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+