From 8450ba655bd4c0c5049ecba74106724e41ac8da0 Mon Sep 17 00:00:00 2001
From: Oleksandr Kuzminskyi <aleks@infrahouse.com>
Date: Fri, 15 May 2026 15:42:39 -0700
Subject: [PATCH 1/4] Migrate to infrahouse/github-control

---
 .github/workflows/terraform-CI.yml | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/.github/workflows/terraform-CI.yml b/.github/workflows/terraform-CI.yml
index 94a6cc4..114bb65 100644
--- a/.github/workflows/terraform-CI.yml
+++ b/.github/workflows/terraform-CI.yml
@@ -24,14 +24,6 @@ jobs:
         shell: bash
 
     steps:
-      - name: "Get token"
-        id: "app-token"
-        uses: "actions/create-github-app-token@v1"
-        with:
-          private-key: ${{ secrets.IH_GH_TF_APP_KEY }}
-          app-id: "1016363"
-          owner: "infrahouse8"
-
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout
         uses: actions/checkout@v3

From b0632d10dd789bff0c4aea0ac61c195b8ae6dc7a Mon Sep 17 00:00:00 2001
From: Oleksandr Kuzminskyi <aleks@infrahouse.com>
Date: Sat, 16 May 2026 06:26:01 -0700
Subject: [PATCH 2/4] Hardcore github and state roles

---
 .github/workflows/terraform-CI.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/terraform-CI.yml b/.github/workflows/terraform-CI.yml
index 114bb65..844c403 100644
--- a/.github/workflows/terraform-CI.yml
+++ b/.github/workflows/terraform-CI.yml
@@ -17,6 +17,8 @@ jobs:
     timeout-minutes: 60
     env:
       AWS_DEFAULT_REGION: "us-west-1"
+      ROLE_GITHUB : "arn:aws:iam::303467602807:role/ih-tf-github-control-github"
+      ROLE_STATE_MANAGER : "arn:aws:iam::289256138624:role/ih-tf-github-control-state-manager"
 
     # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
     defaults:
@@ -31,7 +33,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
-          role-to-assume: ${{ vars.ROLE_GITHUB }}
+          role-to-assume: ${{ env.ROLE_GITHUB }}
           role-session-name: ih-tf-terraform-control-github-control
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
 
@@ -66,5 +68,5 @@ jobs:
       # Upload Terraform Plan
       - name: Upload Terraform Plan
         run: |
-          ih-plan --aws-assume-role-arn ${{ vars.ROLE_STATE_MANAGER }} \
+          ih-plan --aws-assume-role-arn ${{ env.ROLE_STATE_MANAGER }} \
             upload --key-name=plans/${{ github.event.pull_request.number }}.plan tf.plan

From cd6fbb7eafc56215dcc3b50234a175b671c23838 Mon Sep 17 00:00:00 2001
From: Oleksandr Kuzminskyi <aleks@infrahouse.com>
Date: Sat, 16 May 2026 06:27:19 -0700
Subject: [PATCH 3/4] fix: code style

---
 .github/workflows/terraform-CI.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/terraform-CI.yml b/.github/workflows/terraform-CI.yml
index 844c403..8ef0fa4 100644
--- a/.github/workflows/terraform-CI.yml
+++ b/.github/workflows/terraform-CI.yml
@@ -17,8 +17,8 @@ jobs:
     timeout-minutes: 60
     env:
       AWS_DEFAULT_REGION: "us-west-1"
-      ROLE_GITHUB : "arn:aws:iam::303467602807:role/ih-tf-github-control-github"
-      ROLE_STATE_MANAGER : "arn:aws:iam::289256138624:role/ih-tf-github-control-state-manager"
+      ROLE_GITHUB: "arn:aws:iam::303467602807:role/ih-tf-github-control-github"
+      ROLE_STATE_MANAGER: "arn:aws:iam::289256138624:role/ih-tf-github-control-state-manager"
 
     # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
     defaults:

From 282c3110b11bed4d086ffdc706c58df0100aeefc Mon Sep 17 00:00:00 2001
From: Oleksandr Kuzminskyi <aleks@infrahouse.com>
Date: Sat, 16 May 2026 06:41:12 -0700
Subject: [PATCH 4/4] Hardcore github and state roles in CD

---
 .github/workflows/terraform-CD.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/terraform-CD.yml b/.github/workflows/terraform-CD.yml
index 1f6a995..a22ad5c 100644
--- a/.github/workflows/terraform-CD.yml
+++ b/.github/workflows/terraform-CD.yml
@@ -19,6 +19,8 @@ jobs:
     timeout-minutes: 60
     env:
       AWS_DEFAULT_REGION: "us-west-1"
+      ROLE_GITHUB: "arn:aws:iam::303467602807:role/ih-tf-github-control-github"
+      ROLE_STATE_MANAGER: "arn:aws:iam::289256138624:role/ih-tf-github-control-state-manager"
 
     # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
     defaults:
@@ -33,7 +35,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v2
         with:
-          role-to-assume: ${{ vars.ROLE_GITHUB }}
+          role-to-assume: ${{ env.ROLE_GITHUB }}
           role-session-name: ih-tf-terraform-control-github-control
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
 
@@ -54,7 +56,7 @@ jobs:
       # Download a plan from the approved pull request
       - name: Download plan
         run: |
-          ih-plan --aws-assume-role-arn ${{ vars.ROLE_STATE_MANAGER }} \
+          ih-plan --aws-assume-role-arn ${{ env.ROLE_STATE_MANAGER }} \
             download \
             plans/${{ github.event.pull_request.number }}.plan \
             tf.plan
@@ -75,6 +77,6 @@ jobs:
 
       - name: Remove plan
         run: |
-          ih-plan --aws-assume-role-arn ${{ vars.ROLE_STATE_MANAGER }} \
+          ih-plan --aws-assume-role-arn ${{ env.ROLE_STATE_MANAGER }} \
             remove \
             plans/${{ github.event.pull_request.number }}.plan