Previous push rejected for deprecated aws resource. Fixed, and aligned cross-reference.

Benettonkkb · Benettonkkb · commit e54f538fb9a6 · 2026-04-29T21:38:29.000Z
diff --git a/terraform/aws-custom-policies.tf b/terraform/aws-custom-policies.tf
@@ -11,7 +11,7 @@ module "aws_custom_policies" {
     }
     "IncubatorTfPlanSecretsRead" = {
       description = "Allows incubator tf plan role to read specific Secrets Manager secrets needed for terraform plan"
-      filename    = "incubator-tf-plan-secrets-read-policy.json"
+      filename    = "tf-plan-scoped.json"
     }
   }
 }
diff --git a/terraform/modules/aws-gha-oidc-providers/main.tf b/terraform/modules/aws-gha-oidc-providers/main.tf
@@ -50,8 +50,7 @@ resource "aws_iam_openid_connect_provider" "github_actions" {
 
 resource "aws_iam_role" "github_actions_oidc" {
 
-  name                = var.role_name
-  managed_policy_arns = var.policy_arns
+  name = var.role_name
 
   assume_role_policy = jsonencode({
     "Version" : "2012-10-17",
@@ -71,4 +70,11 @@ resource "aws_iam_role" "github_actions_oidc" {
       }
     }]
   })
+}
+
+resource "aws_iam_role_policy_attachment" "github_actions_oidc" {
+  for_each = toset(var.policy_arns)
+
+  role       = aws_iam_role.github_actions_oidc.name
+  policy_arn = each.value
 }

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ module "aws_custom_policies" {`
`11`	`11`	`}`
`12`	`12`	`"IncubatorTfPlanSecretsRead" = {`
`13`	`13`	`description = "Allows incubator tf plan role to read specific Secrets Manager secrets needed for terraform plan"`
`14`		`- filename = "incubator-tf-plan-secrets-read-policy.json"`
	`14`	`+ filename = "tf-plan-scoped.json"`
`15`	`15`	`}`
`16`	`16`	`}`
`17`	`17`	`}`