From b9afbdce827612af4afaeb4dc2fdf002c7eca8b8 Mon Sep 17 00:00:00 2001
From: Marat Bakeev <marat.bakeev@9spokes.com>
Date: Fri, 1 May 2026 13:30:55 +1200
Subject: [PATCH] fix: drop iam roles from github repository provider

---
 AGENTS.md        |  2 +-
 README.md        |  1 -
 src/README.md    |  1 -
 src/providers.tf | 16 ----------------
 4 files changed, 1 insertion(+), 19 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index 8deadc1..5aa509b 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -31,5 +31,5 @@
 - CI: ensure pre-commit, TFLint, and tests pass. Avoid unrelated changes in the same PR.
 
 ## Security & Configuration Tips
-- Never commit secrets. Configure AWS credentials/role assumption externally; the provider setup in `src/providers.tf` supports role assumption via the `iam_roles` module.
+- Never commit secrets. Configure AWS credentials/role assumption externally; `src/providers.tf` only configures the AWS region for optional SSM and Secrets Manager lookups.
 - Global quotas must be applied in `us-east-1`; place in the `gbl` stack and set `region: us-east-1` in `vars`.
diff --git a/README.md b/README.md
index e0b0605..923d005 100644
--- a/README.md
+++ b/README.md
@@ -343,7 +343,6 @@ The following configurations are not supported for import:
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a |
 | <a name="module_repository"></a> [repository](#module\_repository) | cloudposse/repository/github | 1.1.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
diff --git a/src/README.md b/src/README.md
index d8f3047..7dfd913 100644
--- a/src/README.md
+++ b/src/README.md
@@ -292,7 +292,6 @@ The following configurations are not supported for import:
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_iam_roles"></a> [iam\_roles](#module\_iam\_roles) | ../account-map/modules/iam-roles | n/a |
 | <a name="module_repository"></a> [repository](#module\_repository) | cloudposse/repository/github | 1.1.0 |
 | <a name="module_this"></a> [this](#module\_this) | cloudposse/label/null | 0.25.0 |
 
diff --git a/src/providers.tf b/src/providers.tf
index ef923e1..dc58d9a 100644
--- a/src/providers.tf
+++ b/src/providers.tf
@@ -1,19 +1,3 @@
 provider "aws" {
   region = var.region
-
-  # Profile is deprecated in favor of terraform_role_arn. When profiles are not in use, terraform_profile_name is null.
-  profile = module.iam_roles.terraform_profile_name
-
-  dynamic "assume_role" {
-    # module.iam_roles.terraform_role_arn may be null, in which case do not assume a role.
-    for_each = compact([module.iam_roles.terraform_role_arn])
-    content {
-      role_arn = assume_role.value
-    }
-  }
-}
-
-module "iam_roles" {
-  source  = "../account-map/modules/iam-roles"
-  context = module.this.context
 }