apply-terraform-identity.sh

Applies the Terraform identity stack for GitHub OIDC and IAM roles.

Purpose

Runs a guided Terraform workflow for infra/identity so you do not need to manually change directories or remember command order.

What It Does

1. Validates prerequisites:
2. terraform CLI
3. aws CLI
4. Valid AWS credentials (aws sts get-caller-identity)
5. Runs Terraform in infra/identity:
6. terraform init (with locked provider versions)
7. terraform validate
8. terraform plan
9. Prompts for confirmation before apply
10. Runs terraform apply
11. Prints identity outputs (OIDC provider and role ARNs)

Usage

./scripts/apply-terraform-identity.sh

Notes

• Safe to run repeatedly; Terraform handles drift and idempotency.
• If you answer n at the prompt, no changes are applied.
• This script targets the shared identity stack in infra/identity.
• Provider versions are pinned via .terraform.lock.hcl. To upgrade providers intentionally, use terraform init -upgrade locally and commit lock file changes via PR.

Related

• Terraform GitHub OIDC Identity
• Provider Version Pinning
• Mise Configuration