Notifycal · dsiguero · Sep 4, 2025 · dsiguero · Sep 4, 2025
diff --git a/providers/aws.tf b/providers/aws.tf
@@ -8,6 +8,12 @@ variable "_aws_region" {
 
 locals {
   is_local_env = var._environment == "local"
+  environment_iam_role_mapping = {
+    dev = "arn:aws:iam::381492094204:role/ci-role"
+    dev-dan = "arn:aws:iam::381492094204:role/ci-role"
+    dev-sj11 = "arn:aws:iam::381492094204:role/ci-role"
+    prod = "arn:aws:iam::222261726252:role/ci-role"
+  }
 }
 
 provider "aws" {
@@ -16,6 +22,26 @@ provider "aws" {
   default_tags {
     tags = var._tags
   }
+
+  assume_role {
+    role_arn     = local.environment_iam_role_mapping[var._environment]
+    session_name = "tofu-environment-${var._environment}"
+  }
+
+  skip_credentials_validation = local.is_local_env
+  skip_metadata_api_check     = local.is_local_env
+  skip_requesting_account_id  = local.is_local_env
+  s3_use_path_style           = local.is_local_env
+}
+
+provider "aws" {
+  alias = "shared_secrets"
+  region = var._aws_region
+
+  default_tags {
+    tags = var._tags
+  }
+
   skip_credentials_validation = local.is_local_env
   skip_metadata_api_check     = local.is_local_env
   skip_requesting_account_id  = local.is_local_env

diff --git a/root.hcl b/root.hcl
@@ -9,6 +9,13 @@ locals {
   stack_path    = "${get_repo_root()}/stacks/${local.stack_name}"
   stack_version = local.merged_inputs.stack_versions[local.stack_name]
 
+  environment_iam_role_mapping = {
+    dev = "arn:aws:iam::381492094204:role/ci-role"
+    dev-dan = "arn:aws:iam::381492094204:role/ci-role"
+    dev-sj11 = "arn:aws:iam::381492094204:role/ci-role"
+    prod = "arn:aws:iam::222261726252:role/ci-role"
+  }
+
   _is_ephemeral_deploy = get_env("EPHEMERAL_DEPLOY", "false")
   environment_tags = {
     Project          = local.merged_inputs.project_name
@@ -36,6 +43,9 @@ locals {
       dynamodb_table      = "tofu-lock-${local.merged_inputs.project_name}-${local.merged_inputs.environment}"
       s3_bucket_tags      = local.environment_tags
       dynamodb_table_tags = local.environment_tags
+      assume_role = {
+        role_arn = local.environment_iam_role_mapping[local.merged_inputs.environment]
+      }
     }, {}][!local.is_local_env ? 0 : 1]
     generate = {
       path      = "_tg.backend.tf"

diff --git a/stacks/backend/source.json b/stacks/backend/source.json
@@ -1,5 +1,5 @@
 {
-  "base_source_url": "git@github.com:Notifycal/backend.git//tf",
+  "base_source_url": "/Users/dan/dev/personal/notifycal/backend//tf",
   "required_providers": {
     "null": {
       "source": "hashicorp/null",