fix: drop iam roles from github repository provider

[mtb-xt]

What

Remove the iam_roles account-map subcomponent from the GitHub repository component provider configuration.

The AWS provider is still present because the component can read repository secret values from SSM Parameter Store and AWS Secrets Manager, but it now uses the ambient AWS credentials supplied by the runner/environment instead of resolving account-map roles.

Why

This component manages GitHub repositories, not AWS IAM resources. Pulling in ../account-map/modules/iam-roles adds dynamic AWS identity/account-map data to otherwise GitHub-focused plans. In workflows that save a plan under one identity and apply under another, that identity-dependent data can make the saved plan differ from the apply-time plan even when the visible GitHub resource changes are the same.

Migration note

Existing workspaces that have already applied this component with module.iam_roles in state may need a one-time state cleanup after upgrading.

If OpenTofu/Terraform reports that it cannot read the schema for cloudposse/awsutils while decoding old state, remove the obsolete module state entry before planning/applying this version, for example:

terraform state rm 'module.iam_roles'

That state entry only represented the provider/account-map helper path used for role resolution. The component no longer declares or uses it after this change.

Notes

• This intentionally does not add a bypass/migration shim because the component does not need account-map role resolution at runtime.
• AWS credential or role assumption should be configured outside this component, for example by the CI runner, Atmos auth wrapper, or the surrounding execution environment.

Validation

• terraform fmt -check src/providers.tf
• terraform -chdir=src init -backend=false
• terraform -chdir=src validate
• git diff --check

Summary by CodeRabbit

• Documentation

  • Updated provider configuration guidance to reflect that AWS region is the only configurable setting for optional lookups.
  • Removed references to the iam_roles module from module documentation tables.

• Chores

  • Simplified AWS provider configuration to region setting only.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b7ca9d3c-8d60-4e1b-8f95-f2917f337d76

📥 Commits

Reviewing files that changed from the base of the PR and between 22ba453 and b9afbdc.

📒 Files selected for processing (4)

• AGENTS.md
• README.md
• src/README.md
• src/providers.tf

💤 Files with no reviewable changes (3)

• README.md
• src/README.md
• src/providers.tf

---

📝 Walkthrough

Walkthrough

The pull request removes the iam_roles module from the AWS provider configuration and updates all documentation to reflect this change. The provider configuration is simplified to only set the AWS region, eliminating role assumption capabilities previously provided by the iam_roles module.

Changes

Cohort / File(s)	Summary
Documentation Updates AGENTS.md, README.md, src/README.md	Removed references to the iam_roles module from documentation tables and security guidance, reflecting its deprecation from the provider configuration.
Provider Configuration src/providers.tf	Removed module "iam_roles" instantiation and the conditional dynamic "assume_role" block that previously referenced it, leaving only region = var.region in the AWS provider configuration.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A role once assumed, now laid to rest,
The config grows simpler, lean and blessed,
Just regions remain in the provider's care,
The iam_roles module vanishes in air! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: removing the iam_roles module from the GitHub repository provider configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Important

Do not edit the README.md directly. It's auto-generated from the README.yaml

Please update the README.yaml file instead.

Could you fix it @mtb-xt? 🙏