update access for GH OIDC

we are switching from using a service user in GH action to
using a OIDC provider thus we need to provide the OIDC role
equivalent access as the service user role.

config/infra-dev/nextflow-aurora-mysql.yaml

@@ -15,6 +15,7 @@ parameters:
   AccountAdminArns:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}

config/infra-dev/smtp-credentials.yaml

@@ -8,6 +8,7 @@ parameters:
   AccountAdminArns:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}

config/infra-prod/nextflow-aurora-mysql.yaml

@@ -15,6 +15,7 @@ parameters:
   AccountAdminArns:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}

config/infra-prod/smtp-credentials.yaml

@@ -8,6 +8,8 @@ parameters:
   AccountAdminArns:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}

config/infra-prod/workflows-kms-key.yaml

@@ -8,6 +8,7 @@ parameters:
     - {{stack_group_config.sso_admin_role.arn}}
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
     - !stack_output_external sagebase-github-oidc-workflows-prod-nextflow-infra::ProviderRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
 
 stack_tags:
   {{stack_group_config.default_stack_tags}}

config/projects-ampad/agora-project.yaml

@@ -16,6 +16,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-ampad/jared-hendrickson-project.yaml

@@ -14,6 +14,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-ampad/strides-ampad-project.yaml

@@ -16,6 +16,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-ampad/wei-an-chen-project.yaml

@@ -14,6 +14,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-dev/example-dev-project.yaml

@@ -14,6 +14,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-dev/mc2-mcmicro-dev-project.yaml

@@ -12,6 +12,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-dev/orca-dev-project.yaml

@@ -13,6 +13,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-dev/orca-service-test-project.yaml

@@ -14,6 +14,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-dev/pec-dev-project.yaml

@@ -13,6 +13,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/amp-ad-project.yaml

@@ -12,6 +12,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/ctf-swnts-project.yaml

@@ -37,6 +37,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/example-project.yaml

@@ -44,6 +44,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/genie-bpc-project.yaml

@@ -16,6 +16,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/htan-project.yaml

@@ -18,6 +18,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/iatlas-project.yaml

@@ -23,6 +23,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/imcore-project.yaml

@@ -13,6 +13,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/jhu-biobank-nf-project.yaml

@@ -13,6 +13,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/mc2-mcmicro-project.yaml

@@ -21,6 +21,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/nf-ntap5-biobank-jineta.yaml

@@ -33,6 +33,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/nfri-ctf-nf1-project.yaml

@@ -29,6 +29,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/ntap-add5-project.yaml

@@ -14,6 +14,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/ntap-cnf-cell-project.yaml

@@ -28,6 +28,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/robert-allaway-project.yaml

@@ -36,6 +36,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/sophia-jobe-project.yaml

@@ -35,6 +35,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/ucf-dod-nf2-project.yaml

@@ -29,6 +29,7 @@ parameters:
   AccountAdminArns:
     - '{{stack_group_config.sso_admin_role.arn}}'
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: 'https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com'
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn

config/projects-prod/verena-chung-project.yaml

@@ -35,6 +35,7 @@ parameters:
   AccountAdminArns:
     - "{{stack_group_config.sso_admin_role.arn}}"
     - !stack_output_external workflows-nextflow-ci-service-account::ServiceRoleArn
+    - !stack_output_external github-oidc-nextflow-infra::ProviderRoleArn
   TemplateRootUrl: "https://{{stack_group_config.admincentral_cf_bucket}}.s3.amazonaws.com"
   TowerForgePolicyArn: !stack_output_external nextflow-forge-iam-policy::NextFlowForgePolicyArn
   TowerLaunchPolicyArn: !stack_output_external nextflow-launch-iam-policy::NextFlowLaunchPolicyArn