Skip to content

Comments

Add read-only state-manager for 303467602807 from aws-control-289256138624#79

Merged
akuzminsky merged 1 commit intomainfrom
ih-tf-aws-control-303467602807-state-manager-read-only
Feb 19, 2026
Merged

Add read-only state-manager for 303467602807 from aws-control-289256138624#79
akuzminsky merged 1 commit intomainfrom
ih-tf-aws-control-303467602807-state-manager-read-only

Conversation

@akuzminsky
Copy link
Member

@akuzminsky akuzminsky commented Feb 19, 2026

Move ih-tf-aws-control-303467602807-state-manager-read-only management
to aws-control for centralized CI/CD role management. Uses state-manager
v1.4.2 with exact version pinning.

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

@akuzminsky @claude
Add read-only state-manager for 303467602807 from aws-control-2892561…
f4b9e61 
…38624

Move ih-tf-aws-control-303467602807-state-manager-read-only management
to aws-control for centralized CI/CD role management. Uses state-manager
v1.4.2 with exact version pinning.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions
Copy link

github-actions bot commented Feb 19, 2026

State s3://infrahouse-aws-control-990466748045/terraform.tfstate

Affected resources counts

Success 🟢 Add Change Destroy
4 0 0

Affected resources by action

Action Resources
🟢 module.ih_tf_aws_control_303467602807_state_manager_read_only.aws_iam_policy.permissions_ro
🟢 module.ih_tf_aws_control_303467602807_state_manager_read_only.aws_iam_policy.permissions_rw
🟢 module.ih_tf_aws_control_303467602807_state_manager_read_only.aws_iam_role.state-manager
🟢 module.ih_tf_aws_control_303467602807_state_manager_read_only.aws_iam_role_policy_attachment.state-manager-ro
STDOUT 
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.ih_tf_aws_control_303467602807_state_manager_read_only.aws_iam_policy.permissions_ro will be created
  + resource "aws_iam_policy" "permissions_ro" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + id               = (known after apply)
      + name             = (known after apply)
      + name_prefix      = "ih-tf-aws-control-303467602807-state-manager-read-only-ro"
      + path             = "/"
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = "s3:ListBucket"
                      + Effect   = "Allow"
                      + Resource = "arn:aws:s3:::infrahouse-aws-control-303467602807"
                    },
                  + {
                      + Action   = "s3:GetObject"
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::infrahouse-aws-control-303467602807/terraform.tfstate",
                          + "arn:aws:s3:::infrahouse-aws-control-303467602807/plans/*",
                          + "arn:aws:s3:::infrahouse-aws-control-303467602807/*.zip",
                        ]
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id        = (known after apply)
      + tags             = {
          + "created_by_module" = "infrahouse/state-manager/aws"
        }
      + tags_all         = {
          + "created_by"        = "infrahouse/aws-control"
          + "created_by_module" = "infrahouse/state-manager/aws"
          + "environment"       = "production"
        }
    }

  # module.ih_tf_aws_control_303467602807_state_manager_read_only.aws_iam_policy.permissions_rw will be created
  + resource "aws_iam_policy" "permissions_rw" {
      + arn              = (known after apply)
      + attachment_count = (known after apply)
      + id               = (known after apply)
      + name             = (known after apply)
      + name_prefix      = "ih-tf-aws-control-303467602807-state-manager-read-only-rw"
      + path             = "/"
      + policy           = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "s3:PutObject",
                          + "s3:DeleteObject",
                        ]
                      + Effect   = "Allow"
                      + Resource = [
                          + "arn:aws:s3:::infrahouse-aws-control-303467602807/terraform.tfstate",
                          + "arn:aws:s3:::infrahouse-aws-control-303467602807/plans/*",
                          + "arn:aws:s3:::infrahouse-aws-control-303467602807/*.zip",
                        ]
                    },
                  + {
                      + Action   = [
                          + "dynamodb:PutItem",
                          + "dynamodb:GetItem",
                          + "dynamodb:DescribeTable",
                          + "dynamodb:DeleteItem",
                        ]
                      + Effect   = "Allow"
                      + Resource = "arn:aws:dynamodb:us-west-1:289256138624:table/infrahouse-aws-control-303467602807-thorough-gnu"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + policy_id        = (known after apply)
      + tags             = {
          + "created_by_module" = "infrahouse/state-manager/aws"
        }
      + tags_all         = {
          + "created_by"        = "infrahouse/aws-control"
          + "created_by_module" = "infrahouse/state-manager/aws"
          + "environment"       = "production"
        }
    }

  # module.ih_tf_aws_control_303467602807_state_manager_read_only.aws_iam_role.state-manager will be created
  + resource "aws_iam_role" "state-manager" {
      + arn                   = (known after apply)
      + assume_role_policy    = jsonencode(
            {
              + Statement = [
                  + {
                      + Action    = "sts:AssumeRole"
                      + Effect    = "Allow"
                      + Principal = {
                          + AWS = [
                              + "arn:aws:iam::990466748045:role/aws-reserved/sso.amazonaws.com/us-west-1/AWSReservedSSO_AWSAdministratorAccess_16bdbe5eb442e7ef",
                              + "arn:aws:iam::493370826424:role/ih-tf-aws-control-493370826424-github",
                            ]
                        }
                      + Sid       = "000"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + create_date           = (known after apply)
      + description           = "Role to manage a terraform state of a repo"
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 43200
      + name                  = "ih-tf-aws-control-303467602807-state-manager-read-only"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "created_by_module" = "infrahouse/state-manager/aws"
          + "module_version"    = "1.4.2"
        }
      + tags_all              = {
          + "created_by"        = "infrahouse/aws-control"
          + "created_by_module" = "infrahouse/state-manager/aws"
          + "environment"       = "production"
          + "module_version"    = "1.4.2"
        }
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # module.ih_tf_aws_control_303467602807_state_manager_read_only.aws_iam_role_policy_attachment.state-manager-ro will be created
  + resource "aws_iam_role_policy_attachment" "state-manager-ro" {
      + id         = (known after apply)
      + policy_arn = (known after apply)
      + role       = "ih-tf-aws-control-303467602807-state-manager-read-only"
    }

Plan: 4 to add, 0 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: tf.plan

To perform exactly these actions, run the following command to apply:
    terraform apply "tf.plan"
metadata 
eyJzMzovL2luZnJhaG91c2UtYXdzLWNvbnRyb2wtOTkwNDY2NzQ4MDQ1L3RlcnJhZm9ybS50ZnN0YXRlIjogeyJzdWNjZXNzIjogdHJ1ZSwgImFkZCI6IDQsICJjaGFuZ2UiOiAwLCAiZGVzdHJveSI6IDB9fQ==

@akuzminsky akuzminsky merged commit ddd99d3 into main Feb 19, 2026
2 checks passed
@akuzminsky akuzminsky deleted the ih-tf-aws-control-303467602807-state-manager-read-only branch February 19, 2026 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@infrahouse8 infrahouse8 infrahouse8 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@akuzminsky @infrahouse8