From 592ec23ab39ab1080edf6d671e2fe49d166957c0 Mon Sep 17 00:00:00 2001
From: Benettonkkb <benettonkkb1@gmail.com>
Date: Thu, 19 Feb 2026 07:43:10 +0000
Subject: [PATCH 1/4] Update forgotten TF  plan/apply from PR 147 to use
 separate OIDC roles

---
 .github/workflows/terraform-apply.yaml | 2 +-
 .github/workflows/terraform-plan.yaml  | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/terraform-apply.yaml b/.github/workflows/terraform-apply.yaml
index 47cc0f5..e3a8798 100644
--- a/.github/workflows/terraform-apply.yaml
+++ b/.github/workflows/terraform-apply.yaml
@@ -33,7 +33,7 @@ jobs:
     - name: configure aws credentials
       uses: aws-actions/configure-aws-credentials@v3
       with:
-        role-to-assume: arn:aws:iam::035866691871:role/gha-incubator
+        role-to-assume: arn:aws:iam::035866691871:role/incubator-tf-apply
         role-session-name: ghaincubatorsession
         aws-region: us-west-2
 
diff --git a/.github/workflows/terraform-plan.yaml b/.github/workflows/terraform-plan.yaml
index 216c2b9..d9964cb 100644
--- a/.github/workflows/terraform-plan.yaml
+++ b/.github/workflows/terraform-plan.yaml
@@ -33,8 +33,8 @@ jobs:
     - name: configure aws credentials
       uses: aws-actions/configure-aws-credentials@v3
       with:
-        role-to-assume: arn:aws:iam::035866691871:role/gha-incubator
-        role-session-name: ghaincubatorplan
+        role-to-assume: arn:aws:iam::035866691871:role/incubator-tf-plan
+        role-session-name: incubatortfplan
         aws-region: us-west-2
 
     - name: Terraform Plan
@@ -63,4 +63,5 @@ jobs:
         output-file: README.md
         output-method: inject
         git-push: "true"
-        git-commit-message: "terraform-docs: automated updates to Terraform modules README.md"
\ No newline at end of file
+        git-commit-message: "terraform-docs: automated updates to Terraform modules README.md"
+

From 4ab83e6ddfe72dad180f65f12009e51183f62770 Mon Sep 17 00:00:00 2001
From: Benettonkkb <benettonkkb1@gmail.com>
Date: Thu, 4 Jun 2026 00:53:30 +0000
Subject: [PATCH 2/4] Re-added Secrets Manager wildcard for home-unite-us,
 following the restore

---
 terraform/cicd.tf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/terraform/cicd.tf b/terraform/cicd.tf
index 061183c..b4df358 100644
--- a/terraform/cicd.tf
+++ b/terraform/cicd.tf
@@ -42,6 +42,15 @@ resource "aws_iam_policy" "incubator_builder" {
          Resource  = [
             "arn:aws:ecs:us-west-2:${data.aws_caller_identity.current.account_id}:service/incubator-prod/*"
          ]
+      },
+      // allow read home-unite-us secrets
+      {
+        Sid = "SecretsManagerReadHomeUniteUs"
+        Effect = "Allow"
+        Action = [
+          "secretsmanager:GetSecretValue"
+        ]
+        Resource = "arn:aws:secretsmanager:us-west-2:${data.aws_caller_identity.current.account_id}:secret:home-unite-us-*"
       }
     ]
   })

From 167a86812bf3f89b9b36c33670cb5f6ea3ee590b Mon Sep 17 00:00:00 2001
From: Benettonkkb <benettonkkb1@gmail.com>
Date: Thu, 18 Jun 2026 01:11:56 +0000
Subject: [PATCH 3/4] removed homeuniteus from secrets scope and used wildcard
 only

---
 terraform/cicd.tf | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/terraform/cicd.tf b/terraform/cicd.tf
index b4df358..06402ff 100644
--- a/terraform/cicd.tf
+++ b/terraform/cicd.tf
@@ -43,14 +43,14 @@ resource "aws_iam_policy" "incubator_builder" {
             "arn:aws:ecs:us-west-2:${data.aws_caller_identity.current.account_id}:service/incubator-prod/*"
          ]
       },
-      // allow read home-unite-us secrets
+      // allow read secrets
       {
-        Sid = "SecretsManagerReadHomeUniteUs"
+        Sid = "SecretsManagerReadAll"
         Effect = "Allow"
         Action = [
           "secretsmanager:GetSecretValue"
         ]
-        Resource = "arn:aws:secretsmanager:us-west-2:${data.aws_caller_identity.current.account_id}:secret:home-unite-us-*"
+        Resource = "arn:aws:secretsmanager:us-west-2:${data.aws_caller_identity.current.account_id}:secret:*"
       }
     ]
   })

From d2fb6372086540cd7819f6d65469a45e87ec8150 Mon Sep 17 00:00:00 2001
From: Benettonkkb <benettonkkb1@gmail.com>
Date: Thu, 18 Jun 2026 01:27:00 +0000
Subject: [PATCH 4/4] removed redundant secrets reference at end of file

---
 terraform/cicd.tf | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/terraform/cicd.tf b/terraform/cicd.tf
index 06402ff..abd0acb 100644
--- a/terraform/cicd.tf
+++ b/terraform/cicd.tf
@@ -42,16 +42,8 @@ resource "aws_iam_policy" "incubator_builder" {
          Resource  = [
             "arn:aws:ecs:us-west-2:${data.aws_caller_identity.current.account_id}:service/incubator-prod/*"
          ]
-      },
-      // allow read secrets
-      {
-        Sid = "SecretsManagerReadAll"
-        Effect = "Allow"
-        Action = [
-          "secretsmanager:GetSecretValue"
-        ]
-        Resource = "arn:aws:secretsmanager:us-west-2:${data.aws_caller_identity.current.account_id}:secret:*"
       }
+      
     ]
   })
 }
\ No newline at end of file