harik8 · harik8 · May 17, 2026 · May 17, 2026 · May 17, 2026 · May 17, 2026
diff --git a/.github/workflows/tofu.yaml b/.github/workflows/tofu.yaml
@@ -17,7 +17,10 @@ on:
 
 permissions:
   id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
+  # contents: read  # This is required for actions/checkout
+  contents: write
+  pull-requests: write
+  issues: write
 
 jobs:
   TOFU-APPLY:
@@ -27,42 +30,78 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v6
 
-    - name: AWS - Set AWS Credentials
+    # - name: Setup opentofu  
+    #   uses: opentofu/setup-opentofu@v2
+    #   with:
+    #     tofu_version: 1.11.2
+    #     cache: true
+
+    # - name: OpenTofu fmt
+    #   working-directory: tofu
+    #   run: tofu fmt -check
+    #   continue-on-error: false
+
+    - name: AWS Bedrock Claude Github OIDC
       uses: aws-actions/configure-aws-credentials@v5.1.1
       with:
-        aws-region: ${{ vars.AWS_REGION }}
+        aws-region: eu-west-1
         role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }}
-        role-session-name: gh_set_aws_credentials
+        role-session-name: github_action_oidc_role
 
-    - name: AWS - Assume Role
-      id: aws_assume_role
+    - name: AWS - Assume Bedrock Claude Role
       uses: aws-actions/configure-aws-credentials@v5.1.1
       with:
-        aws-region: ${{ vars.AWS_REGION }}
-        role-to-assume: ${{ secrets.AWS_IAM_ASSUME_ROLE_ARN }}
-        role-session-name: github_action
+        role-to-assume: ${{ secrets.AWS_IAM_GITHUB_BEDROCK_CLAUDE_ROLE_ARN }}
+        aws-region: eu-west-1
+        role-session-name: github_action_bedrock_claude
         role-chaining: true
 
-    - name: Setup opentofu  
-      uses: opentofu/setup-opentofu@v2
+    # - run: |
+    #     aws sts get-caller-identity
+    #     aws bedrock list-foundation-models --by-provider anthropic --region eu-west-1
+
+    - uses: anthropics/claude-code-action@v1
       with:
-        tofu_version: 1.11.2
-        cache: true
+        use_bedrock: "true"
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        prompt: |
+            REPO: ${{ github.repository }}
+            BRANCH: ${{ github.ref_name }}
+
+            Analyze the latest commit in this repository.
+        claude_args: |
+          --model eu.anthropic.claude-haiku-4-5-20251001-v1:0
+          --max-turns 30
+
+    - name: Debug Claude output
+      if: always()
+      run: cat /home/runner/work/_temp/claude-execution-output.json
+
+    # - name: AWS - Set AWS Credentials
+    #   uses: aws-actions/configure-aws-credentials@v5.1.1
+    #   with:
+    #     aws-region: ${{ vars.AWS_REGION }}
+    #     role-to-assume: ${{ secrets.AWS_IAM_GITHUB_OIDC_ROLE_ARN }}
+    #     role-session-name: github_action_oidc_role
 
-    - name: OpenTofu fmt
-      working-directory: tofu
-      run: tofu fmt -check
-      continue-on-error: false
+    # - name: AWS - Assume Awsing Role
+    #   id: aws_assume_role
+    #   uses: aws-actions/configure-aws-credentials@v5.1.1
+    #   with:
+    #     aws-region: ${{ vars.AWS_REGION }}
+    #     role-to-assume: ${{ secrets.AWS_IAM_ASSUME_ROLE_ARN }}
+    #     role-session-name: github_action_awsing
+    #     role-chaining: true
 
-    - name: OpenTofu apply
-      working-directory: tofu
-      run: |
-          export TF_VAR_aws_region=${{ vars.AWS_REGION }}
-          export TF_VAR_s3_backend=${{ secrets.TF_VAR_S3_BACKEND }}
-          export TF_VAR_iac_role=${{ secrets.TF_VAR_IAC_ROLE }}
-          export TF_VAR_account_id=${{ secrets.TF_VAR_ACCOUNT_ID }}
+    # - name: OpenTofu apply
+    #   working-directory: tofu
+    #   run: |
+    #       export TF_VAR_aws_region=${{ vars.AWS_REGION }}
+    #       export TF_VAR_s3_backend=${{ secrets.TF_VAR_S3_BACKEND }}
+    #       export TF_VAR_iac_role=${{ secrets.TF_VAR_IAC_ROLE }}
+    #       export TF_VAR_account_id=${{ secrets.TF_VAR_ACCOUNT_ID }}
 
-          tofu init
-          tofu workspace select ${{ vars.TOFU_WORKSPACE }}
-          tofu plan
-          tofu apply -auto-approve
+    #       tofu init
+    #       tofu workspace select ${{ vars.TOFU_WORKSPACE }}
+    #       tofu plan
+    #       tofu apply -auto-approve
diff --git a/tofu/iam.github_oidc.tofu b/tofu/iam.github_oidc.tofu
@@ -1,3 +1,8 @@
+# ===== Description =====
+# IAM self-assumption and scoped-down policy principals have been followed in Github OIDC implementation
+# More details: https://dev.to/aws-builders/understanding-self-assumption-and-scoped-down-policy-in-aws-iam-2io
+# ======
+
 module "iam_github_oidc_provider" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-provider"
   version = local.vars.iam.version
@@ -13,6 +18,8 @@ module "iam_github_oidc_role" {
   subjects = local.vars.iam.github_oidc.repos
 }
 
+# ===== hariprasad.dev Cloudfront deployment =====
+
 module "iam_github_portfolio_website_s3_policy" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
   version = local.vars.iam.version
@@ -66,6 +73,8 @@ module "iam_assumable_role_github_portfolio_website" {
   ]
 }
 
+# ===== awsing OpenTofu deployment =====
+
 module "iam_assumable_role_github_awsing" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
   version = local.vars.iam.version
@@ -83,4 +92,57 @@ module "iam_assumable_role_github_awsing" {
   custom_role_policy_arns = [
     "arn:aws:iam::aws:policy/AdministratorAccess"
   ]
+}
+
+# ===== PR review using Bedrock claude =====
+
+module "iam_github_portfolio_bedrock_claude_policy" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = local.vars.iam.version
+
+  name        = "${terraform.workspace}-github-bedrock-claude-policy"
+  path        = "/"
+  description = "IAM policy for GitHub OIDC role to access ${terraform.workspace}-bedrock-claude policy"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "ClaudeBedrockInference",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock:InvokeModel",
+        "bedrock:InvokeModelWithResponseStream",
+        "bedrock:ListFoundationModels",
+        "bedrock:GetFoundationModel",
+        "bedrock:ListInferenceProfiles",
+        "bedrock:GetInferenceProfile",
+        "aws-marketplace:ViewSubscriptions",
+        "aws-marketplace:Subscribe",
+        "aws-marketplace:Unsubscribe"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+module "iam_assumable_role_github_bedrock_claude" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = local.vars.iam.version
+
+  role_name   = "${terraform.workspace}-github-bedrock-claude-role"
+  create_role = true
+
+  trusted_role_arns = [
+    module.iam_github_oidc_role.arn
+  ]
+
+  role_requires_mfa = false
+
+  custom_role_policy_arns = [
+    module.iam_github_portfolio_bedrock_claude_policy.arn
+  ]
 }