Now that we've committed to Pulumi as our IaC tooling, we should remove the AWS credentials being stored as GitHub secrets in the hubverse-infrastructure repo.
Edit 2024-04-16: the token we're storing as a GitHub secret isn't actually an AWS token, it's a Pulumi token. That said, we do still need to separate the permissions required to preview infra changes (which we'll need on any branch in the repo) from the permissions required to execute infra changes (which should only be assumed by the repo's main branch).
Definition of done:
[x] There is a new AWS IAM role that has the permissions required to create, update, and destroy AWS infrastructure as required in our Pulumi code
[x] The new IAM role can be assumed by GitHub actions originating from the main branch of the hubverse-infrastructure repo
[x] There is a second new "read only" AWS IAM role that has the permissions necessary to run the Pulumi preview command
[x] The "read only" role can be assumed by GitHub actions originating from the feature branches of the hubverse-infrastructure repo (so the preview report can be run when opening a PR)
Now that we've committed to Pulumi as our IaC tooling,
we should remove the AWS credentials being stored as GitHub secrets in thehubverse-infrastructurerepo.Edit 2024-04-16: the token we're storing as a GitHub secret isn't actually an AWS token, it's a Pulumi token. That said, we do still need to separate the permissions required to preview infra changes (which we'll need on any branch in the repo) from the permissions required to execute infra changes (which should only be assumed by the repo's main branch).
Definition of done:
hubverse-infrastructurerepohubverse-infrastructurerepo (so the preview report can be run when opening a PR)