We aim to do everything as code in ARGLabs, but at the very first moment we cannot even run pipelines. There is no IAM role for Bitbucket to assume, no S3 bucket to store Terraform state, and no policies to authorize anything. This project breaks that chicken-and-egg cycle by provisioning the foundational pieces every other ARGLabs project depends on.

What it provisions

• Bitbucket OIDC provider on AWS IAM, trusting the arglabs Bitbucket workspace.
• bitbucket-openid IAM role, assumed by Bitbucket Pipelines via sts:AssumeRoleWithWebIdentity. Its only permission is to assume the deployer role.
• deployer IAM role, assumed only by bitbucket-openid. Holds the actual deploy permissions: iam:*, s3:*, organizations:*, account:*, route53:*, route53domains:*, sso:*.
• arglabs-terraform-states S3 bucket, the shared remote state backend used by every ARGLabs Terraform project.

How to bootstrap it

A temporary IAM user is required for the very first apply, with two policies attached: IAMReadOnlyAccess (AWS managed) and iamuser-mainaccount-iac-prereqs (customer managed, least-privilege for the resources in this repo).

Export the keys, run terraform init / plan / apply from terraform/, then deactivate the credentials. After that, every future change runs through Bitbucket Pipelines via OIDC, with no long-lived AWS credentials anywhere.

Repository: bitbucket.org/arglabs/arglabs-mainaccount-iac-prereqs