fix(ci): remove hardcoded AWS profile from backend and provider

Mohitsharma44 · claude · Mohitsharma44 · commit 0fff40e6fc21 · 2026-02-11T22:39:22.000-08:00
The S3 backend had profile=muon which doesn't exist in CI runners.
Removed profile from backend block (uses AWS_PROFILE env var locally,
OIDC env vars in CI). Made provider profile conditional — empty string
falls back to default credential chain. Added TF_VAR_aws_profile=""
to CI workflow env. Also removed OIDC debug step and fixed org name
casing in variables.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -19,18 +19,16 @@ concurrency:
   group: terraform-${{ github.ref }}
   cancel-in-progress: false
 
+env:
+  TF_VAR_aws_profile: ""
+
 jobs:
   plan:
     name: Terraform Plan
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request'
 
     steps:
-      - name: Debug OIDC Token
-        run: |
-          IDTOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=sts.amazonaws.com" | jq -r '.value')
-          echo "$IDTOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | jq '{sub, aud, iss, ref, repository}' || true
-
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
diff --git a/infra/providers.tf b/infra/providers.tf
@@ -14,13 +14,13 @@ terraform {
     region         = "us-east-1"
     dynamodb_table = "cuspuo-terraform-lock"
     encrypt        = true
-    profile        = "muon"
+    # No profile here — uses AWS_PROFILE env var locally, OIDC env vars in CI
   }
 }
 
 provider "aws" {
   region  = "us-east-1"
-  profile = var.aws_profile
+  profile = var.aws_profile != "" ? var.aws_profile : null
 
   default_tags {
     tags = {
diff --git a/infra/variables.tf b/infra/variables.tf
@@ -23,9 +23,9 @@ variable "state_lock_table_name" {
 }
 
 variable "github_org" {
-  description = "GitHub organization name (lowercase, as used in OIDC sub claim)"
+  description = "GitHub organization name (case-sensitive, must match OIDC sub claim)"
   type        = string
-  default     = "cuspuo"
+  default     = "CUSPUO"
 }
 
 variable "github_repo" {

Original file line number	Diff line number	Diff line change
`@@ -14,13 +14,13 @@ terraform {`
`14`	`14`	`region = "us-east-1"`
`15`	`15`	`dynamodb_table = "cuspuo-terraform-lock"`
`16`	`16`	`encrypt = true`
`17`		`- profile = "muon"`
	`17`	`+ # No profile here — uses AWS_PROFILE env var locally, OIDC env vars in CI`
`18`	`18`	`}`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`provider "aws" {`
`22`	`22`	`region = "us-east-1"`
`23`		`- profile = var.aws_profile`
	`23`	`+ profile = var.aws_profile != "" ? var.aws_profile : null`
`24`	`24`
`25`	`25`	`default_tags {`
`26`	`26`	`tags = {`
Original file line number	Diff line number	Diff line change
`@@ -23,9 +23,9 @@ variable "state_lock_table_name" {`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`variable "github_org" {`
`26`		`- description = "GitHub organization name (lowercase, as used in OIDC sub claim)"`
	`26`	`+ description = "GitHub organization name (case-sensitive, must match OIDC sub claim)"`
`27`	`27`	`type = string`
`28`		`- default = "cuspuo"`
	`28`	`+ default = "CUSPUO"`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`variable "github_repo" {`