Description

Adding a second Github OIDC role, which has permissions to deploy the primary Github role (and nothing more).

Context

The iams-developer-roles Terraform stack has never been deployed via CI/CD. It defines the GitHub Actions deployment role's own permissions, so the deployment role can't update itself — a circular dependency. Any permission change requires someone with admin/SSO access to run Terraform manually.

We solve this by adding a second GitHub Actions OIDC role (github-actions-iam-bootstrap-role) that deploys the iams-developer-roles stack before the main deployment role is used. This runs automatically in every pipeline.

Security controls

• Scoped to IAM only — cannot touch Lambda, DynamoDB, S3 data, or any other service
• Self-modification denied — explicit deny in both the policy and the permissions boundary prevents the role from changing its own policies or boundary
• Trust policy locked down — main branch only, restricted to three specific workflow files
• Environment gates — dev auto-deploys, test/preprod/prod require GitHub Environment approval

Type of changes

• Refactoring (non-breaking change)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would change existing functionality)
• Bug fix (non-breaking change which fixes an issue)

Checklist

• I am familiar with the contributing guidelines
• I have followed the code style of the project
• I have added tests to cover my changes
• I have updated the documentation accordingly
• This PR is a result of pair or mob programming

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

• I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.