chore: assume oidc role once

.github/actions/just/README.md

@@ -1,13 +1,13 @@
-# Execute Just Command with AWS OIDC
+# Execute Just Command
 
-This GitHub Action sets up [`just`](https://github.com/casey/just), authenticates to AWS via OIDC, and runs a specified **just recipe** — useful for clean, repeatable, script-based workflows in infrastructure, DevOps, and CI/CD pipelines.
+This GitHub Action sets up [`just`](https://github.com/casey/just) and runs a specified **just recipe**. When the recipe needs AWS, the workflow job should configure credentials first.
 
 ---
 
 ## 🚀 Features
 
 - Installs a specific version of [`just`](https://github.com/casey/just)
-- Configures AWS credentials using GitHub OIDC
+- Uses AWS credentials already configured earlier in the same job when needed
 - Executes any `just` command (recipe)
 - Captures and returns the final line of output as an action output
 
@@ -19,7 +19,6 @@ This GitHub Action sets up [`just`](https://github.com/casey/just), authenticate
 |--------------------|--------------------------------------------------|----------|--------------|
 | `just_version`     | Version of `just` to install                     | ❌        | `1.49.0`     |
 | `aws_region`       | AWS region                                       | ❌        | `eu-west-2`  |
-| `aws_oidc_role_arn`| ARN of the IAM role to assume via OIDC (optional when AWS credentials are already configured in the job) | ❌ | `""` |
 | `just_action`      | The `just` recipe to execute                     | ✅        | —            |
 | `mask_result`      | Use to mask value in CI                          | ❌        | `false`      |
 
@@ -35,6 +34,32 @@ This GitHub Action sets up [`just`](https://github.com/casey/just), authenticate
 
 ## 🛠 Example Usage
 
+### Reuse AWS credentials already configured in the job
+
+```yaml
+jobs:
+  run-just:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials once
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }}
+
+      - name: Run just with ambient AWS session
+        uses: ./.github/actions/just
+        with:
+          justfile_path: justfile.ci
+          just_action: some-aws-recipe
+```
+
 ```just
 lambda-get-version:
     #!/usr/bin/env bash
@@ -54,14 +79,19 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Configure AWS credentials once
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }}
+
       - name: get lambda version
         id: lambda-get-version
         uses: ./.github/actions/just
         env:
           FUNCTION_NAME: dev-lambda-function
           ALIAS_NAME: dev
         with:
-          aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }}
           just_action: lambda-get-version
 
       - name: read output from script
@@ -88,11 +118,16 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Configure AWS credentials once
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }}
+
       - name: get secret
         id: get-secret
         uses: ./.github/actions/just
         with:
-          aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }}
           just_action: get-secret
 
       - name: read output from script

.github/actions/just/action.yml

@@ -1,5 +1,5 @@
-name: "Execute Just command with AWS OIDC"
-description: "Sets up Just, configures AWS OIDC authentication and runs just action"
+name: "Execute Just command"
+description: "Sets up Just and runs a just action using AWS credentials already configured in the job when needed"
 
 inputs:
   just_version:
@@ -9,9 +9,6 @@ inputs:
   aws_region:
     description: "AWS Region"
     default: "eu-west-2"
-  aws_oidc_role_arn:
-    description: "AWS iam role arn"
-    default: ""
   just_action:
     description: "Just command (recipe) to execute"
     required: true
@@ -37,13 +34,6 @@ runs:
       with:
         just-version: ${{ inputs.just_version }}
 
-    - name: Configure AWS OIDC Authentication
-      if: ${{ inputs.aws_oidc_role_arn != '' }}
-      uses: aws-actions/configure-aws-credentials@v5
-      with:
-        role-to-assume: ${{ inputs.aws_oidc_role_arn }}
-        aws-region: ${{ inputs.aws_region }}
-
     - name: Run just action (try/catch + capture)
       id: capture
       if: ${{ inputs.mask_result == 'false' }}

.github/actions/terragrunt/README.md

@@ -1,15 +1,15 @@
-# Execute Terraform & Terragrunt with AWS OIDC
+# Execute Terraform & Terragrunt
 
-This GitHub Action sets up **Terraform** and **Terragrunt**, authenticates to AWS via **OIDC**, and runs a specified `terragrunt` action: `apply`, `plan`, `apply_plan`, `destroy`, or `init`.
+This GitHub Action sets up **Terraform** and **Terragrunt** and runs a specified `terragrunt` action: `apply`, `plan`, `apply_plan`, `destroy`, or `init`. When the action needs AWS, the workflow job should configure credentials first.
 
 ## Features
 
 - Installs pinned versions of Terraform and Terragrunt
-- Authenticates to AWS using OIDC only when the selected action actually needs AWS access
+- Uses AWS credentials already configured earlier in the same job when needed
 - Optionally passes Terragrunt variables via JSON tfvars
 - Supports `plan` mode for producing local saved plan files
 - Supports `init` mode for outputs-only reads
-- Uses the repo-local `./.github/actions/just` action with OIDC for saved plan artifact upload and download
+- Uses the repo-local `./.github/actions/just` action for saved plan artifact upload and download
 - Exports Terragrunt outputs as compact JSON when state exists
 
 ## Inputs
@@ -20,7 +20,6 @@ This GitHub Action sets up **Terraform** and **Terragrunt**, authenticates to AW
 | `tg_version` | Version of Terragrunt to install | No | `0.72.6` |
 | `aws_region` | AWS region to use | No | `eu-west-2` |
 | `override_tg_vars` | Terragrunt variables in JSON, written to `override_tg_vars.tfvars.json` | No | `{}` |
-| `aws_oidc_role_arn` | IAM role ARN to assume via OIDC | Yes | — |
 | `tg_directory` | Directory containing the Terragrunt config | Yes | — |
 | `tg_action` | Terragrunt action: `apply`, `plan`, `apply_plan`, `destroy`, or `init` | Yes | `apply` |
 
@@ -36,7 +35,7 @@ This GitHub Action sets up **Terraform** and **Terragrunt**, authenticates to AW
 - `apply`
   Runs `terragrunt apply -auto-approve`
 - `plan`
-  Runs `terragrunt plan -detailed-exitcode -out=<absolute stack path>/terragrunt.tfplan`, then renders `terragrunt.plan.txt` and writes `terragrunt.plan.meta.json` via the repo `justfile.tg` recipe `terragrunt-plan-render`. It then uploads those files to S3 through the repo-local `./.github/actions/just` action using the same OIDC role.
+  Runs `terragrunt plan -detailed-exitcode -out=<absolute stack path>/terragrunt.tfplan`, then renders `terragrunt.plan.txt` and writes `terragrunt.plan.meta.json` via the repo `justfile.tg` recipe `terragrunt-plan-render`. It then uploads those files to S3 through the repo-local `./.github/actions/just` action using the AWS credentials already configured in the job.
 - `apply_plan`
   Downloads the saved plan files into `tg_directory` via the repo-local `./.github/actions/just` action and `justfile.tg`, using the caller-provided `PLAN_ARTIFACT_S3_PREFIX` environment variable plus the stack-derived suffix from `tg_directory`. It then fails if the binary plan file or `terragrunt.plan.meta.json` is missing, reads `has_changes` from the saved metadata file, and skips apply with a GitHub Actions warning when the saved plan contains no mutating resource changes. Otherwise it runs `terragrunt apply` against the absolute stack-path plan file.
 - `destroy`
@@ -53,8 +52,37 @@ This GitHub Action sets up **Terraform** and **Terragrunt**, authenticates to AW
   - `<plan_artifact_s3_prefix>/terragrunt-plan-<sanitized-tg-directory>/terragrunt.plan.txt`
   - `<plan_artifact_s3_prefix>/terragrunt-plan-<sanitized-tg-directory>/terragrunt.plan.meta.json`
 
+## AWS Credentials
+
+Configure AWS credentials in the workflow job before calling this action. The action then reuses those ambient credentials for Terragrunt itself and for any saved-plan upload or download steps.
+
 ## Usage
 
+### Reuse AWS credentials already configured in the job
+
+```yaml
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials once
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: ${{ env.AWS_OIDC_ROLE_ARN }}
+
+      - name: Reuse ambient session in Terragrunt
+        uses: ./.github/actions/terragrunt
+        with:
+          tg_directory: infra/live/dev/aws/network
+          tg_action: init
+```
+
 ### Minimal Apply
 
 ```yaml
@@ -72,7 +100,6 @@ jobs:
         uses: your-org/your-action-repo@main
         with:
           aws_region: ${{ vars.AWS_REGION }}
-          aws_oidc_role_arn: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-dev-github-oidc-role
           tg_directory: infra/live/dev/aws/network
           tg_action: apply
           override_tg_vars: '{"env":"dev","region":"eu-west-2"}'
@@ -94,11 +121,16 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Configure AWS credentials once
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-dev-github-oidc-role
+
       - name: Plan infrastructure
         uses: your-org/your-action-repo@main
         with:
           aws_region: ${{ vars.AWS_REGION }}
-          aws_oidc_role_arn: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-dev-github-oidc-role
           tg_directory: infra/live/dev/aws/network
           tg_action: plan
 ```
@@ -115,11 +147,16 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Configure AWS credentials once
+        uses: aws-actions/configure-aws-credentials@v6
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-dev-github-oidc-role
+
       - name: Apply infrastructure from uploaded plan
         uses: your-org/your-action-repo@main
         with:
           aws_region: ${{ vars.AWS_REGION }}
-          aws_oidc_role_arn: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/${{ vars.PROJECT_NAME }}-dev-github-oidc-role
           tg_directory: infra/live/dev/aws/network
           tg_action: apply_plan
 ```

.github/actions/terragrunt/action.yml

@@ -1,5 +1,5 @@
-name: "Execute Terraform & Terragrunt with AWS OIDC"
-description: "Sets up Terraform, Terragrunt, configures AWS OIDC authentication and runs terragrunt action"
+name: "Execute Terraform & Terragrunt"
+description: "Sets up Terraform and Terragrunt and runs a terragrunt action using AWS credentials already configured in the job when needed"
 
 inputs:
   tf_version:
@@ -17,9 +17,6 @@ inputs:
     description: "Override or additional Terragrunt variables in JSON format"
     required: false
     default: "{}"
-  aws_oidc_role_arn:
-    description: "AWS iam role arn"
-    required: true
   tg_directory:
     description: "Module directory to perform action upon"
     required: true
@@ -61,7 +58,6 @@ runs:
       env:
         TG_DIRECTORY: ${{ inputs.tg_directory }}
       with:
-        aws_oidc_role_arn: ${{ inputs.aws_oidc_role_arn }}
         aws_region: ${{ inputs.aws_region }}
         justfile_path: justfile.tg
         just_action: terragrunt-plan-download
@@ -95,13 +91,6 @@ runs:
           echo "should_apply=true" >> "$GITHUB_OUTPUT"
         fi
 
-    - name: Configure AWS OIDC Authentication
-      if: inputs.tg_action != 'apply_plan' || steps.apply_plan_guard.outputs.should_apply == 'true'
-      uses: aws-actions/configure-aws-credentials@v5
-      with:
-        role-to-assume: ${{ inputs.aws_oidc_role_arn }}
-        aws-region: ${{ inputs.aws_region }}
-
     - name: Action Terragrunt
       if: inputs.tg_action != 'apply_plan' || steps.apply_plan_guard.outputs.should_apply == 'true'
       id: terragrunt_action
@@ -163,7 +152,6 @@ runs:
       env:
         TG_DIRECTORY: ${{ inputs.tg_directory }}
       with:
-        aws_oidc_role_arn: ${{ inputs.aws_oidc_role_arn }}
         aws_region: ${{ inputs.aws_region }}
         justfile_path: justfile.tg
         just_action: terragrunt-plan-upload