feat(identity-access-control): add module to configure the AWS IAM provider#387
Merged
Conversation
davidf-null
force-pushed
the
feat/provider-assume-role
branch
from
963c75b to
d14ce01
Compare
Add nullplatform/identity-access-control, which configures an identity & access control provider in nullplatform via nullplatform_provider_config. The module is cloud-agnostic: the provider `type` and `attributes` are exposed as variables so new clouds can be onboarded without changing the module. `type` defaults to the AWS IAM provider (aws-iam-configuration), and `attributes` carries the provider-specific config (JSON-encoded to match the selected specification's schema). For AWS, this is the platform-side counterpart to infrastructure/aws/iam/agent, which grants the agent sts:AssumeRole over the published role ARNs. - type variable (default aws-iam-configuration) + generic attributes (any) - supports dimensions - no ignore_changes on attributes: Terraform stays the source of truth - includes README (AWS + new-cloud usage) and tests (3 passing) Also ignore the local np-api-skill.token credential. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
davidf-null
force-pushed
the
feat/provider-assume-role
branch
from
d14ce01 to
c6491bd
Compare
agustincelentano
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new cloud-agnostic module
nullplatform/identity-access-controlthat configures an identity & access control provider in nullplatform through anullplatform_provider_configresource.The provider
typeandattributesare exposed as variables so new clouds can be onboarded without changing the module.typedefaults to the AWS IAM provider (aws-iam-configuration), confirmed live via the nullplatform API (there is no provider literally namedidentity-access-control).For AWS, this is the platform-side counterpart to
infrastructure/aws/iam/agent, which grants the agentsts:AssumeRoleover the published role ARNs.Inputs
nrnstringattributesanytypestring"aws-iam-configuration"dimensionsmap(string){}attributesis JSON-encoded as-is to match the selected provider specification's schema. Foraws-iam-configuration:Onboarding a new cloud is just a different
type+attributes:Design notes
ignore_changesonattributes(unlikemetrics/code_repository, which suppress drift for externally-rotated secrets): this config is declarative identity/access data, so Terraform stays the source of truth.nullplatform/*provider-config conventions.Testing
tofu fmt,tofu validate,tofu testpass (also enforced via pre-commit hooks).🤖 Generated with Claude Code