hackforla · Benettonkkb · Feb 5, 2026 · Feb 26, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/terraform/aws-custom-policies.tf b/terraform/aws-custom-policies.tf
@@ -9,5 +9,9 @@ module "aws_custom_policies" {
       description = "Policy enforcing MFA for devops security users"
       filename    = "enforce-mfa-for-users-policy.json"
     }
+    "IncubatorTfPlanSecretsRead" = {
+      description = "Allows incubator tf plan role to read specific Secrets Manager secrets needed for terraform plan"
+      filename    = "incubator-tf-plan-secrets-read-policy.json"
+    }
   }
 }
diff --git a/terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json b/terraform/aws-custom-policies/incubator-tf-plan-secrets-read-policy.json
@@ -0,0 +1,17 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowReadSpecificSecretsForTerraformPlan",
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:GetSecretValue"
+      ],
+      "Resource": [
+        "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-cognito-client*",
+        "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-google-clientid*",
+        "arn:aws:secretsmanager:us-west-2:035866691871:secret:home-unite-us-google-secret*"
+      ]
+    }
+  ]
+}
diff --git a/terraform/aws-gha-oidc-providers.tf b/terraform/aws-gha-oidc-providers.tf
@@ -39,6 +39,48 @@ resource "aws_iam_role" "incubator_tf_plan" {
   })
 }
 
+resource "aws_iam_role_policy_attachment" "incubator_tf_plan_readonly" {
+  role       = aws_iam_role.incubator_tf_plan.name
+  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "incubator_tf_plan_secrets_read" {
+  role       = aws_iam_role.incubator_tf_plan.name
+  policy_arn = module.aws_custom_policies.policy_arns["IncubatorTfPlanSecretsRead"]
+}
+
+resource "aws_iam_role" "incubator_tf_apply" {
+  name = "incubator-tf-apply"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = "sts:AssumeRoleWithWebIdentity"
+        Principal = {
+          Federated = module.iam_oidc_gha_incubator.provider_arn
+        }
+        Condition = {
+          StringEquals = {
+            "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+          }
+          StringLike = {
+            "token.actions.githubusercontent.com:sub" = [
+              "repo:hackforla/incubator:ref:refs/heads/main"
+            ]
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "incubator_tf_apply_admin" {
+  role       = aws_iam_role.incubator_tf_apply.name
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
 resource "aws_iam_role_policy_attachment" "incubator_tf_plan_readonly" {
   role      = aws_iam_role.incubator_tf_plan.name
   policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"