From 2ec55643bb38efe949f606701c365c99b3ab4db5 Mon Sep 17 00:00:00 2001
From: Jake Herrmann <jtherrmann@alaska.edu>
Date: Thu, 12 Dec 2024 10:20:53 -0900
Subject: [PATCH] draft of changes

---
 .github/configure-aws-credentials.yml     | 36 -----------------------
 docs/deployments/ASF-deployment-ci-cf.yml | 25 ++++++++++++++++
 2 files changed, 25 insertions(+), 36 deletions(-)

diff --git a/.github/configure-aws-credentials.yml b/.github/configure-aws-credentials.yml
index 007508f21..36347f1ca 100644
--- a/.github/configure-aws-credentials.yml
+++ b/.github/configure-aws-credentials.yml
@@ -9,44 +9,8 @@ Parameters:
     Description: Arn for the GitHub OIDC Provider. (optional)
     Default: ""
     Type: String
-  OIDCAudience:
-    Description: Audience supplied to configure-aws-credentials.
-    Default: "sts.amazonaws.com"
-    Type: String
-
-Conditions:
-  CreateOIDCProvider: !Equals
-    - !Ref OIDCProviderArn
-    - ""
 
 Resources:
-  Role:
-    Type: AWS::IAM::Role
-    Properties:
-      AssumeRolePolicyDocument:
-        Statement:
-          - Effect: Allow
-            Action: sts:AssumeRoleWithWebIdentity
-            Principal:
-              Federated: !If
-                - CreateOIDCProvider
-                - !Ref GithubOidc
-                - !Ref OIDCProviderArn
-            Condition:
-              StringEquals:
-                token.actions.githubusercontent.com:aud: !Ref OIDCAudience
-              StringLike:
-                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
-
-  GithubOidc:
-    Type: AWS::IAM::OIDCProvider
-    Condition: CreateOIDCProvider
-    Properties:
-      Url: https://token.actions.githubusercontent.com
-      ClientIdList:
-        - sts.amazonaws.com
-      ThumbprintList:
-        - ffffffffffffffffffffffffffffffffffffffff
 
 Outputs:
   Role:
diff --git a/docs/deployments/ASF-deployment-ci-cf.yml b/docs/deployments/ASF-deployment-ci-cf.yml
index 4daeffcae..9300eaa2e 100644
--- a/docs/deployments/ASF-deployment-ci-cf.yml
+++ b/docs/deployments/ASF-deployment-ci-cf.yml
@@ -6,6 +6,31 @@ Parameters:
     Type: String
 
 Resources:
+  GithubOidcRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+          - Effect: Allow
+            Action: sts:AssumeRoleWithWebIdentity
+            Principal:
+              Federated: !Ref GithubOidc
+            Condition:
+              StringEquals:
+                token.actions.githubusercontent.com:aud: "sts.amazonaws.com"
+              # TODO left off here:
+              StringLike:
+                token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:*
+
+  GithubOidc:
+    Type: AWS::IAM::OIDCProvider
+    Properties:
+      Url: https://token.actions.githubusercontent.com
+      ClientIdList:
+        - sts.amazonaws.com
+      ThumbprintList:
+        - ffffffffffffffffffffffffffffffffffffffff
+
   CloudformationDeploymentRole:
     Type: AWS::IAM::Role
     Properties: