From 1155058478eb40635effada889a3edfebef4c9fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roch=C3=A9=20Compaan?= <roche@sixfeetup.com>
Date: Wed, 25 Feb 2026 11:25:58 -0400
Subject: [PATCH] feat(terraform): allow assuming TerraformPlanRole from github
 oidc role

---
 .../terraform/modules/base/github-iam-role.tf | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/template/terraform/modules/base/github-iam-role.tf b/template/terraform/modules/base/github-iam-role.tf
index 44f7934..a567c43 100644
--- a/template/terraform/modules/base/github-iam-role.tf
+++ b/template/terraform/modules/base/github-iam-role.tf
@@ -41,3 +41,28 @@ resource "aws_iam_role_policy_attachment" "ecr_push_policy_attachment" {
   policy_arn = aws_iam_policy.ecr_push_policy.arn
 }
 
+# Allow GitHub OIDC role to assume the Terraform plan role
+resource "aws_iam_policy" "terraform_plan_assume_role_policy" {
+  name        = "${var.app_name}-${var.repo_name}-terraform-plan-assume-role-policy"
+  description = "Policy to allow assuming TerraformPlanRole"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "sts:AssumeRole"
+        ],
+        Resource = [
+          "arn:aws:iam::${var.account_id}:role/TerraformPlanRole"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "terraform_plan_assume_role_policy_attachment" {
+  role       = data.aws_iam_role.github_oidc_role.name
+  policy_arn = aws_iam_policy.terraform_plan_assume_role_policy.arn
+}