From 7b629f1fd915873677e88dfdb552b541dbde3e76 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Tue, 28 May 2024 14:09:38 -0400
Subject: [PATCH 01/37] first draft of az oidc module

---
 modules/github-azure-oidc/oidc.tf           | 100 ++++++++++++++++++++
 modules/github-azure-oidc/outputs.tf        |  34 +++++++
 modules/github-azure-oidc/resource_group.tf |  22 +++++
 modules/github-azure-oidc/storage.tf        |  27 ++++++
 modules/github-azure-oidc/variables.tf      |  91 ++++++++++++++++++
 modules/github-azure-oidc/versions.tf       |  17 ++++
 6 files changed, 291 insertions(+)
 create mode 100644 modules/github-azure-oidc/oidc.tf
 create mode 100644 modules/github-azure-oidc/outputs.tf
 create mode 100644 modules/github-azure-oidc/resource_group.tf
 create mode 100644 modules/github-azure-oidc/storage.tf
 create mode 100644 modules/github-azure-oidc/variables.tf
 create mode 100644 modules/github-azure-oidc/versions.tf

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
new file mode 100644
index 0000000..724ed85
--- /dev/null
+++ b/modules/github-azure-oidc/oidc.tf
@@ -0,0 +1,100 @@
+locals {
+  default_audience_name = "api://AzureADTokenExchange"
+  github_issuer_url     = "https://token.actions.githubusercontent.com"
+
+  bootstrap_repo_name     = "bootstrap"
+  organizations_repo_name = "organizations"
+
+  state_file_access_roles = tolist([{
+    scope = "${azurerm_storage_container.azurerm_storage_container.resource_manager_id }" 
+    role_definition_name = "Storage Blob Data Contributor"
+  }])
+  
+  bootstrap_project_roles = local.state_file_access_roles
+
+  organizations_project_roles = concat(
+    local.state_file_access_roles,
+    tolist([{
+      scope = "${azurerm_key_vault.key_vault.id}"
+      role_definition_name = "Key Vault Secrets User"
+    }])
+    # tolist([
+    #   "roles/secretmanager.viewer",
+    #   "roles/secretmanager.secretAccessor",
+    #   "roles/iam.workloadIdentityUser"
+    # ])
+  )
+}
+
+data "azurerm_client_config" "current" {}
+
+data "azurerm_key_vault" "key_vault" {
+  name = var.kv_name
+  resource_group_name = var.kv_resource_group != "" ? var.kv_resource_group : local.github_foundations_rg.name
+}
+
+/**
+* User assigned identities and roles for github state bucket and federated identity setup
+*/
+
+resource "azurerm_user_assigned_identity" "bootstrap_identity" {
+  location = local.github_foundations_rg.location
+  resource_group_name = local.github_foundations_rg.name
+  name = "${local.bootstrap_repo_name}-identity"
+}
+
+resource "azurerm_role_assignment" "bootstrap_role_assignment" {
+  for_each = toset(local.bootstrap_project_roles)
+  scope = each.value.scope
+  role_definition_name = each.value.role_definition_name
+  principal_id = azurerm_user_assigned_identity.bootstrap_identity.principal_id
+}
+
+resource "azurerm_user_assigned_identity" "organization_identity" {
+  location = local.github_foundations_rg.location
+  resource_group_name = local.github_foundations_rg.name
+  name = "${local.organizations_repo_name}-identity"
+}
+
+resource "azurerm_role_assignment" "organization_role_assignment" {
+  for_each = toset(local.organizations_project_roles)
+  scope = each.value.scope
+  role_definition_name = each.value.role_definition_name
+  principal_id = azurerm_user_assigned_identity.organization_identity.principal_id
+}
+
+resource "azurerm_federated_identity_credential" "bootstrap_pull_request_credentials" {
+  name = "${var.github_foundations_organization_name}-${local.bootstrap_repo_name}-pr-credentials"
+  resource_group_name = local.github_foundations_rg.name
+  audience = [local.default_audience_name]
+  issuer = local.github_issuer_url
+  parent_id = azurerm_user_assigned_identity.bootstrap_identity.id
+  subject = "repo:${var.github_foundations_organization_name}/${local.bootstrap_repo_name}:pull_request"
+}
+
+resource "azurerm_federated_identity_credential" "bootstrap_drift_credentials" {
+  name = "${var.github_foundations_organization_name}-${local.bootstrap_repo_name}-drift-credentials"
+  resource_group_name = local.github_foundations_rg.name
+  audience = [local.default_audience_name]
+  issuer = local.github_issuer_url
+  parent_id = azurerm_user_assigned_identity.bootstrap_identity.id
+  subject = "repo:${var.github_foundations_organization_name}/${local.bootstrap_repo_name}:ref:refs/heads/${var.drift_detection_branch_name}"
+}
+
+resource "azurerm_federated_identity_credential" "organization_pull_request_credentials" {
+  name = "${var.github_foundations_organization_name}-${local.organizations_repo_name}-pr-credentials"
+  resource_group_name = local.github_foundations_rg.name
+  audience = [local.default_audience_name]
+  issuer = local.github_issuer_url
+  parent_id = azurerm_user_assigned_identity.organization_identity.id
+  subject = "repo:${var.github_foundations_organization_name}/${local.organizations_repo_name}:pull_request"
+}
+
+resource "azurerm_federated_identity_credential" "organization_drift_credentials" {
+  name = "${var.github_foundations_organization_name}-${local.organizations_repo_name}-drift-credentials"
+  resource_group_name = local.github_foundations_rg.name
+  audience = [local.default_audience_name]
+  issuer = local.github_issuer_url
+  parent_id = azurerm_user_assigned_identity.organization_identity.id
+  subject = "repo:${var.github_foundations_organization_name}/${local.organizations_repo_name}:ref:refs/heads/${var.drift_detection_branch_name}"
+}
\ No newline at end of file
diff --git a/modules/github-azure-oidc/outputs.tf b/modules/github-azure-oidc/outputs.tf
new file mode 100644
index 0000000..662e3b6
--- /dev/null
+++ b/modules/github-azure-oidc/outputs.tf
@@ -0,0 +1,34 @@
+output "resource_group" {
+  description = "Resource group name."
+  value       = local.github_foundations_rg
+}
+
+output "bootstrap_client_id" {
+  description = "Bootstrap repository client id for authenticating with oidc."
+  value       = azurerm_user_assigned_identity.bootstrap_identity.client_id
+}
+
+output "organization_client_id" {
+  description = "Organizations repository client id for authenticating with oidc."
+  value       = azurerm_user_assigned_identity.organization_identity.client_id
+}
+
+output "tenant_id" {
+  description = "Azure tenant id for authenticating with oidc."
+  value       = data.azurerm_client_config.current.tenant_id
+}
+
+output "subscription_id" {
+  description = "Azure subscription id for authenticating with oidc."
+  value       = data.azurerm_client_config.current.subscription_id
+}
+
+output "sa_name" {
+  description = "Terraform state container storage account name."
+  value       = azurerm_storage_account.azurerm_storage_account.name
+}
+
+output "container_name" {
+  description = "Terraform state container name."
+  value       = azurerm_storage_container.github_foundations_tf_state_container.name
+}
\ No newline at end of file
diff --git a/modules/github-azure-oidc/resource_group.tf b/modules/github-azure-oidc/resource_group.tf
new file mode 100644
index 0000000..1697623
--- /dev/null
+++ b/modules/github-azure-oidc/resource_group.tf
@@ -0,0 +1,22 @@
+locals {
+  github_foundations_rg = (
+    var.rg_create
+    ? try(azurerm_resource_group.github_foundations_rg[0], null)
+    : try(data.azurerm_resource_group.github_foundations_rg[0], null)
+  )
+}
+
+data "azurerm_resource_group" "github_foundations_rg" {
+  count  = var.rg_create ? 0 : 1
+  name = var.rg_name
+}
+resource "azurerm_resource_group" "github_foundations_rg" {
+  count = var.rg_create ? 1 : 0
+  name     = var.rg_name
+  location = var.rg_location
+}
+
+#tf state req
+#gcp foldrs and projects -> az subscription and resource groups
+#gcp storage bucket -> az storage account and container
+#gcp sa -> az managed identity
diff --git a/modules/github-azure-oidc/storage.tf b/modules/github-azure-oidc/storage.tf
new file mode 100644
index 0000000..752e457
--- /dev/null
+++ b/modules/github-azure-oidc/storage.tf
@@ -0,0 +1,27 @@
+locals {
+  default_encryption_scope = var.tf_state_container_default_encryption_scope.name != "" ?  var.tf_state_container_default_encryption_scope : null
+}
+
+resource "azurerm_storage_account" "github_foundations_sa" {
+  name = var.sa_name
+  resource_group_name = local.github_foundations_rg.name
+  location = local.github_foundations_rg.location
+  account_tier = var.sa_tier
+  account_replication_type = var.sa_replication_type
+}
+
+resource "azurerm_storage_encryption_scope" "encryption_scope" {
+  count = var.tf_state_container_default_encryption_scope.name != "" ? 1 : 0
+  name = var.tf_state_container_default_encryption_scope.name
+  storage_account_id = azurerm_storage_account.github_foundations_sa.id
+  source = var.tf_state_container_default_encryption_scope.source
+  key_vault_key_id = var.tf_state_container_default_encryption_scope.key_vault_key_id
+}
+
+resource "azurerm_storage_container" "github_foundations_tf_state_container" {
+  name = var.tf_state_container
+  storage_account_name = azurerm_storage_account.github_foundations_sa.name
+  container_access_type = var.tf_state_container_anonymous_access_level
+  default_encryption_scope = local.default_encryption_scope
+  encryption_scope_override_enabled = var.tf_state_container_encryption_scope_override_enabled
+}
\ No newline at end of file
diff --git a/modules/github-azure-oidc/variables.tf b/modules/github-azure-oidc/variables.tf
new file mode 100644
index 0000000..adc7093
--- /dev/null
+++ b/modules/github-azure-oidc/variables.tf
@@ -0,0 +1,91 @@
+#Resource Group Variables
+variable "rg_create" {
+  description = "Create resource group. When set to false, uses id to reference an existing resource group."
+  type        = bool
+  default     = true
+}
+
+variable "rg_name" {
+  type = string
+  description = "The name of the resource group to create the github foundation azure resources in."
+}
+
+variable "rg_location" {
+  type = string
+  description = "The location of the resource group to create the github foundation azure resources in."
+}
+
+#Storage Variables
+variable sa_name {
+  type = string
+  description = "The name of the storage account for github foundations."
+}
+
+variable "sa_tier" {
+  type = string
+  description = "The tier of the storage account for github foundations. Valid options are Standard and Premium."
+}
+
+variable "sa_replication_type" {
+  type = string
+  description = "The replication type of the storage account for github foundations. Valid options are LRS, GRS, RAGRS, ZRS, GZRS, and RA_GZRS."
+}
+
+variable "tf_state_container" {
+  type = string
+  description = "The name of the container to store the terraform state file(s) in."
+  default = "tfstate"
+}
+
+variable "tf_state_container_anonymous_access_level" {
+  type = string
+  description = "The anonymous access level of the container to store the terraform state file(s) in."
+  default = "private"
+}
+
+variable "tf_state_container_encryption_scope_override_enabled" {
+  type = bool
+  description = "Whether or not the encryption scope override is enabled for the container to store the terraform state file(s) in. Defaults to false"
+  default = false
+}
+
+variable "tf_state_container_default_encryption_scope" {
+  type = object({
+    name = string
+    source = string
+    key_vault_key_id = optional(string)
+  })
+  description = "The default encryption scope of the container to store the terraform state file(s) in."
+  default = {
+    name = ""
+    source = ""
+    storage_account_id = ""
+  }
+  validation {
+    condition = var.tf_state_container_default_encryption_scope.source == "Microsoft.KeyVault" && var.tf_state_container_default_encryption_scope.key_vault_key_id == null
+    error_message = "Key vault key id must be set when source is \"Microsoft.KeyVault\"."
+  }
+}
+
+#Key Vault Variables
+variable "kv_name" {
+  type = string
+  description = "The name of the key vault to use for github foundation secrets."
+}
+
+variable "kv_resource_group" {
+  type = string
+  description = "The name of the resource group that the key vault is in. If empty it will default to the github foundations resource group."
+}
+
+#Federated Identity Credentials Varialbes
+
+variable "github_foundations_organization_name" {
+  type        = string
+  description = "The name of the organization that the github foundation repos will be under."
+}
+
+variable "drift_detection_branch_name" {
+  type = string
+  description = "The name of the branch to use for drift detection."
+}
\ No newline at end of file
diff --git a/modules/github-azure-oidc/versions.tf b/modules/github-azure-oidc/versions.tf
new file mode 100644
index 0000000..2083643
--- /dev/null
+++ b/modules/github-azure-oidc/versions.tf
@@ -0,0 +1,17 @@
+terraform {
+  required_version = ">= 1.6"
+  required_providers {
+    azurerm = {
+      source = "hashicorp/azurerm"
+      version = ">=3.0.0" #tftest
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = ">= 3.77" # tftest
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6" # tftest
+    }
+  }
+}

From 8d22d8a3c1ce5a92262d6ebef465ad178bd63388 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Tue, 28 May 2024 14:25:31 -0400
Subject: [PATCH 02/37] added azure github secret configuration option for oidc

---
 .../azure-oidc-variables.tf                   | 75 +++++++++++++++++++
 modules/github-foundations/variables.tf       | 22 ++++++
 2 files changed, 97 insertions(+)
 create mode 100644 modules/github-foundations/azure-oidc-variables.tf

diff --git a/modules/github-foundations/azure-oidc-variables.tf b/modules/github-foundations/azure-oidc-variables.tf
new file mode 100644
index 0000000..eaca04f
--- /dev/null
+++ b/modules/github-foundations/azure-oidc-variables.tf
@@ -0,0 +1,75 @@
+resource "github_actions_secret" "organization_managed_identity_client_id" {
+  count = var.oidc_configuration.azure != null ? 1 : 0
+
+  repository      = github_repository.organizations_repo.name
+  secret_name     = coalesce(var.oidc_configuration.azure.organization_client_id_variable_name, "AZURE_CLIENT_ID")
+  plaintext_value = var.oidc_configuration.azure.organization_client_id
+}
+
+resource "github_actions_secret" "bootstrap_managed_identity_client_id" {
+  count = var.oidc_configuration.azure != null ? 1 : 0
+
+  repository      = github_repository.bootstrap_repo.name
+  secret_name     = coalesce(var.oidc_configuration.azure.bootstrap_client_id_variable_name, "AZURE_CLIENT_ID")
+  plaintext_value = var.oidc_configuration.azure.bootstrap_client_id
+}
+
+resource "github_actions_organization_secret" "tenant_id" {
+  count = var.oidc_configuration.azure != null ? 1 : 0
+
+  secret_name     = coalesce(var.oidc_configuration.azure.tenant_id_variable_name, "AZURE_TENANT_ID")
+  plaintext_value = var.oidc_configuration.azure.tenant_id
+  visibility      = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_organization_secret" "subscription_id" {
+  count = var.oidc_configuration.azure != null ? 1 : 0
+
+  secret_name     = coalesce(var.oidc_configuration.azure.subscription_id_variable_name, "AZURE_SUBSCRIPTION_ID")
+  plaintext_value = var.oidc_configuration.azure.subscription_id
+  visibility      = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_organization_secret" "resource_group_name" {
+  count = var.oidc_configuration.azure != null ? 1 : 0
+
+  secret_name     = coalesce(var.oidc_configuration.azure.resource_group_name_variable_name, "AZURE_RESOURCE_GROUP_NAME")
+  plaintext_value = var.oidc_configuration.azure.resource_group_name
+  visibility      = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_organization_secret" "storage_account_name" {
+  count = var.oidc_configuration.azure != null ? 1 : 0
+
+  secret_name     = coalesce(var.oidc_configuration.azure.storage_account_name_variable_name, "AZURE_STORAGE_ACCOUNT_NAME")
+  plaintext_value = var.oidc_configuration.azure.storage_account_name
+  visibility      = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
+
+resource "github_actions_organization_secret" "container_name" {
+  count = var.oidc_configuration.azure != null ? 1 : 0
+
+  secret_name     = coalesce(var.oidc_configuration.azure.container_name_variable_name, "AZURE_CONTAINER_NAME")
+  plaintext_value = var.oidc_configuration.azure.container_name
+  visibility      = "selected"
+  selected_repository_ids = [
+    github_repository.bootstrap_repo.repo_id,
+    github_repository.organizations_repo.repo_id
+  ]
+}
diff --git a/modules/github-foundations/variables.tf b/modules/github-foundations/variables.tf
index fe9583e..6cbad6b 100644
--- a/modules/github-foundations/variables.tf
+++ b/modules/github-foundations/variables.tf
@@ -43,6 +43,28 @@ variable "oidc_configuration" {
       bucket_location_variable_name = optional(string)
       bucket_location               = string
     }))
+    azure = optional(object({
+      bootstrap_client_id_variable_name = optional(string)
+      bootstrap_client_id               = string
+
+      organization_client_id_variable_name = optional(string)
+      organization_client_id               = string
+
+      tenant_id_variable_name = optional(string)
+      tenant_id               = string
+
+      subscription_id_variable_name = optional(string)
+      subscription_id               = string
+
+      resource_group_name_variable_name = optional(string)
+      resource_group_name               = string
+
+      storage_account_name_variable_name = optional(string)
+      storage_account_name               = string
+
+      container_name_variable_name = optional(string)
+      container_name               = string
+    }))
     custom = optional(object({
       organization_secrets   = map(string)
       organization_variables = map(string)

From e3ec571bb25c3402c3453f165a67afd20289f265 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Tue, 28 May 2024 14:26:53 -0400
Subject: [PATCH 03/37] removed some comments

---
 modules/github-azure-oidc/resource_group.tf | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/modules/github-azure-oidc/resource_group.tf b/modules/github-azure-oidc/resource_group.tf
index 1697623..0fc2bb2 100644
--- a/modules/github-azure-oidc/resource_group.tf
+++ b/modules/github-azure-oidc/resource_group.tf
@@ -14,9 +14,4 @@ resource "azurerm_resource_group" "github_foundations_rg" {
   count = var.rg_create ? 1 : 0
   name     = var.rg_name
   location = var.rg_location
-}
-
-#tf state req
-#gcp foldrs and projects -> az subscription and resource groups
-#gcp storage bucket -> az storage account and container
-#gcp sa -> az managed identity
+}
\ No newline at end of file

From 97bf42ee917cb833c96cc0df948e4af0523d83ac Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Tue, 28 May 2024 14:42:55 -0400
Subject: [PATCH 04/37] fmted

---
 modules/github-azure-oidc/oidc.tf           | 68 ++++++++++-----------
 modules/github-azure-oidc/resource_group.tf |  6 +-
 modules/github-azure-oidc/storage.tf        | 26 ++++----
 modules/github-azure-oidc/variables.tf      | 40 ++++++------
 modules/github-azure-oidc/versions.tf       |  2 +-
 5 files changed, 71 insertions(+), 71 deletions(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index 724ed85..65345e0 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -6,16 +6,16 @@ locals {
   organizations_repo_name = "organizations"
 
   state_file_access_roles = tolist([{
-    scope = "${azurerm_storage_container.azurerm_storage_container.resource_manager_id }" 
+    scope                = "${azurerm_storage_container.azurerm_storage_container.resource_manager_id}"
     role_definition_name = "Storage Blob Data Contributor"
   }])
-  
+
   bootstrap_project_roles = local.state_file_access_roles
 
   organizations_project_roles = concat(
     local.state_file_access_roles,
     tolist([{
-      scope = "${azurerm_key_vault.key_vault.id}"
+      scope                = "${azurerm_key_vault.key_vault.id}"
       role_definition_name = "Key Vault Secrets User"
     }])
     # tolist([
@@ -29,7 +29,7 @@ locals {
 data "azurerm_client_config" "current" {}
 
 data "azurerm_key_vault" "key_vault" {
-  name = var.kv_name
+  name                = var.kv_name
   resource_group_name = var.kv_resource_group != "" ? var.kv_resource_group : local.github_foundations_rg.name
 }
 
@@ -38,63 +38,63 @@ data "azurerm_key_vault" "key_vault" {
 */
 
 resource "azurerm_user_assigned_identity" "bootstrap_identity" {
-  location = local.github_foundations_rg.location
+  location            = local.github_foundations_rg.location
   resource_group_name = local.github_foundations_rg.name
-  name = "${local.bootstrap_repo_name}-identity"
+  name                = "${local.bootstrap_repo_name}-identity"
 }
 
 resource "azurerm_role_assignment" "bootstrap_role_assignment" {
-  for_each = toset(local.bootstrap_project_roles)
-  scope = each.value.scope
+  for_each             = toset(local.bootstrap_project_roles)
+  scope                = each.value.scope
   role_definition_name = each.value.role_definition_name
-  principal_id = azurerm_user_assigned_identity.bootstrap_identity.principal_id
+  principal_id         = azurerm_user_assigned_identity.bootstrap_identity.principal_id
 }
 
 resource "azurerm_user_assigned_identity" "organization_identity" {
-  location = local.github_foundations_rg.location
+  location            = local.github_foundations_rg.location
   resource_group_name = local.github_foundations_rg.name
-  name = "${local.organizations_repo_name}-identity"
+  name                = "${local.organizations_repo_name}-identity"
 }
 
 resource "azurerm_role_assignment" "organization_role_assignment" {
-  for_each = toset(local.organizations_project_roles)
-  scope = each.value.scope
+  for_each             = toset(local.organizations_project_roles)
+  scope                = each.value.scope
   role_definition_name = each.value.role_definition_name
-  principal_id = azurerm_user_assigned_identity.organization_identity.principal_id
+  principal_id         = azurerm_user_assigned_identity.organization_identity.principal_id
 }
 
 resource "azurerm_federated_identity_credential" "bootstrap_pull_request_credentials" {
-  name = "${var.github_foundations_organization_name}-${local.bootstrap_repo_name}-pr-credentials"
+  name                = "${var.github_foundations_organization_name}-${local.bootstrap_repo_name}-pr-credentials"
   resource_group_name = local.github_foundations_rg.name
-  audience = [local.default_audience_name]
-  issuer = local.github_issuer_url
-  parent_id = azurerm_user_assigned_identity.bootstrap_identity.id
-  subject = "repo:${var.github_foundations_organization_name}/${local.bootstrap_repo_name}:pull_request"
+  audience            = [local.default_audience_name]
+  issuer              = local.github_issuer_url
+  parent_id           = azurerm_user_assigned_identity.bootstrap_identity.id
+  subject             = "repo:${var.github_foundations_organization_name}/${local.bootstrap_repo_name}:pull_request"
 }
 
 resource "azurerm_federated_identity_credential" "bootstrap_drift_credentials" {
-  name = "${var.github_foundations_organization_name}-${local.bootstrap_repo_name}-drift-credentials"
+  name                = "${var.github_foundations_organization_name}-${local.bootstrap_repo_name}-drift-credentials"
   resource_group_name = local.github_foundations_rg.name
-  audience = [local.default_audience_name]
-  issuer = local.github_issuer_url
-  parent_id = azurerm_user_assigned_identity.bootstrap_identity.id
-  subject = "repo:${var.github_foundations_organization_name}/${local.bootstrap_repo_name}:ref:refs/heads/${var.drift_detection_branch_name}"
+  audience            = [local.default_audience_name]
+  issuer              = local.github_issuer_url
+  parent_id           = azurerm_user_assigned_identity.bootstrap_identity.id
+  subject             = "repo:${var.github_foundations_organization_name}/${local.bootstrap_repo_name}:ref:refs/heads/${var.drift_detection_branch_name}"
 }
 
 resource "azurerm_federated_identity_credential" "organization_pull_request_credentials" {
-  name = "${var.github_foundations_organization_name}-${local.organizations_repo_name}-pr-credentials"
+  name                = "${var.github_foundations_organization_name}-${local.organizations_repo_name}-pr-credentials"
   resource_group_name = local.github_foundations_rg.name
-  audience = [local.default_audience_name]
-  issuer = local.github_issuer_url
-  parent_id = azurerm_user_assigned_identity.organization_identity.id
-  subject = "repo:${var.github_foundations_organization_name}/${local.organizations_repo_name}:pull_request"
+  audience            = [local.default_audience_name]
+  issuer              = local.github_issuer_url
+  parent_id           = azurerm_user_assigned_identity.organization_identity.id
+  subject             = "repo:${var.github_foundations_organization_name}/${local.organizations_repo_name}:pull_request"
 }
 
 resource "azurerm_federated_identity_credential" "organization_drift_credentials" {
-  name = "${var.github_foundations_organization_name}-${local.organizations_repo_name}-drift-credentials"
+  name                = "${var.github_foundations_organization_name}-${local.organizations_repo_name}-drift-credentials"
   resource_group_name = local.github_foundations_rg.name
-  audience = [local.default_audience_name]
-  issuer = local.github_issuer_url
-  parent_id = azurerm_user_assigned_identity.organization_identity.id
-  subject = "repo:${var.github_foundations_organization_name}/${local.organizations_repo_name}:ref:refs/heads/${var.drift_detection_branch_name}"
+  audience            = [local.default_audience_name]
+  issuer              = local.github_issuer_url
+  parent_id           = azurerm_user_assigned_identity.organization_identity.id
+  subject             = "repo:${var.github_foundations_organization_name}/${local.organizations_repo_name}:ref:refs/heads/${var.drift_detection_branch_name}"
 }
\ No newline at end of file
diff --git a/modules/github-azure-oidc/resource_group.tf b/modules/github-azure-oidc/resource_group.tf
index 0fc2bb2..9632e1a 100644
--- a/modules/github-azure-oidc/resource_group.tf
+++ b/modules/github-azure-oidc/resource_group.tf
@@ -7,11 +7,11 @@ locals {
 }
 
 data "azurerm_resource_group" "github_foundations_rg" {
-  count  = var.rg_create ? 0 : 1
-  name = var.rg_name
+  count = var.rg_create ? 0 : 1
+  name  = var.rg_name
 }
 resource "azurerm_resource_group" "github_foundations_rg" {
-  count = var.rg_create ? 1 : 0
+  count    = var.rg_create ? 1 : 0
   name     = var.rg_name
   location = var.rg_location
 }
\ No newline at end of file
diff --git a/modules/github-azure-oidc/storage.tf b/modules/github-azure-oidc/storage.tf
index 752e457..585a901 100644
--- a/modules/github-azure-oidc/storage.tf
+++ b/modules/github-azure-oidc/storage.tf
@@ -1,27 +1,27 @@
 locals {
-  default_encryption_scope = var.tf_state_container_default_encryption_scope.name != "" ?  var.tf_state_container_default_encryption_scope : null
+  default_encryption_scope = var.tf_state_container_default_encryption_scope.name != "" ? var.tf_state_container_default_encryption_scope : null
 }
 
 resource "azurerm_storage_account" "github_foundations_sa" {
-  name = var.sa_name
-  resource_group_name = local.github_foundations_rg.name
-  location = local.github_foundations_rg.location
-  account_tier = var.sa_tier
+  name                     = var.sa_name
+  resource_group_name      = local.github_foundations_rg.name
+  location                 = local.github_foundations_rg.location
+  account_tier             = var.sa_tier
   account_replication_type = var.sa_replication_type
 }
 
 resource "azurerm_storage_encryption_scope" "encryption_scope" {
-  count = var.tf_state_container_default_encryption_scope.name != "" ? 1 : 0
-  name = var.tf_state_container_default_encryption_scope.name
+  count              = var.tf_state_container_default_encryption_scope.name != "" ? 1 : 0
+  name               = var.tf_state_container_default_encryption_scope.name
   storage_account_id = azurerm_storage_account.github_foundations_sa.id
-  source = var.tf_state_container_default_encryption_scope.source
-  key_vault_key_id = var.tf_state_container_default_encryption_scope.key_vault_key_id
+  source             = var.tf_state_container_default_encryption_scope.source
+  key_vault_key_id   = var.tf_state_container_default_encryption_scope.key_vault_key_id
 }
 
 resource "azurerm_storage_container" "github_foundations_tf_state_container" {
-  name = var.tf_state_container
-  storage_account_name = azurerm_storage_account.github_foundations_sa.name
-  container_access_type = var.tf_state_container_anonymous_access_level
-  default_encryption_scope = local.default_encryption_scope
+  name                              = var.tf_state_container
+  storage_account_name              = azurerm_storage_account.github_foundations_sa.name
+  container_access_type             = var.tf_state_container_anonymous_access_level
+  default_encryption_scope          = local.default_encryption_scope
   encryption_scope_override_enabled = var.tf_state_container_encryption_scope_override_enabled
 }
\ No newline at end of file
diff --git a/modules/github-azure-oidc/variables.tf b/modules/github-azure-oidc/variables.tf
index adc7093..b1f1bf5 100644
--- a/modules/github-azure-oidc/variables.tf
+++ b/modules/github-azure-oidc/variables.tf
@@ -6,75 +6,75 @@ variable "rg_create" {
 }
 
 variable "rg_name" {
-  type = string
+  type        = string
   description = "The name of the resource group to create the github foundation azure resources in."
 }
 
 variable "rg_location" {
-  type = string
+  type        = string
   description = "The location of the resource group to create the github foundation azure resources in."
 }
 
 #Storage Variables
-variable sa_name {
-  type = string
+variable "sa_name" {
+  type        = string
   description = "The name of the storage account for github foundations."
 }
 
 variable "sa_tier" {
-  type = string
+  type        = string
   description = "The tier of the storage account for github foundations. Valid options are Standard and Premium."
 }
 
 variable "sa_replication_type" {
-  type = string
+  type        = string
   description = "The replication type of the storage account for github foundations. Valid options are LRS, GRS, RAGRS, ZRS, GZRS, and RA_GZRS."
 }
 
 variable "tf_state_container" {
-  type = string
+  type        = string
   description = "The name of the container to store the terraform state file(s) in."
-  default = "tfstate"
+  default     = "tfstate"
 }
 
 variable "tf_state_container_anonymous_access_level" {
-  type = string
+  type        = string
   description = "The anonymous access level of the container to store the terraform state file(s) in."
-  default = "private"
+  default     = "private"
 }
 
 variable "tf_state_container_encryption_scope_override_enabled" {
-  type = bool
+  type        = bool
   description = "Whether or not the encryption scope override is enabled for the container to store the terraform state file(s) in. Defaults to false"
-  default = false
+  default     = false
 }
 
 variable "tf_state_container_default_encryption_scope" {
   type = object({
-    name = string
-    source = string
+    name             = string
+    source           = string
     key_vault_key_id = optional(string)
   })
   description = "The default encryption scope of the container to store the terraform state file(s) in."
   default = {
-    name = ""
-    source = ""
+    name               = ""
+    source             = ""
     storage_account_id = ""
   }
   validation {
-    condition = var.tf_state_container_default_encryption_scope.source == "Microsoft.KeyVault" && var.tf_state_container_default_encryption_scope.key_vault_key_id == null
+    condition     = var.tf_state_container_default_encryption_scope.source == "Microsoft.KeyVault" && var.tf_state_container_default_encryption_scope.key_vault_key_id == null
     error_message = "Key vault key id must be set when source is \"Microsoft.KeyVault\"."
   }
 }
 
 #Key Vault Variables
 variable "kv_name" {
-  type = string
+  type        = string
   description = "The name of the key vault to use for github foundation secrets."
 }
 
 variable "kv_resource_group" {
-  type = string
+  type        = string
   description = "The name of the resource group that the key vault is in. If empty it will default to the github foundations resource group."
 }
 
@@ -86,6 +86,6 @@ variable "github_foundations_organization_name" {
 }
 
 variable "drift_detection_branch_name" {
-  type = string
+  type        = string
   description = "The name of the branch to use for drift detection."
 }
\ No newline at end of file
diff --git a/modules/github-azure-oidc/versions.tf b/modules/github-azure-oidc/versions.tf
index 2083643..d34e8d7 100644
--- a/modules/github-azure-oidc/versions.tf
+++ b/modules/github-azure-oidc/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 1.6"
   required_providers {
     azurerm = {
-      source = "hashicorp/azurerm"
+      source  = "hashicorp/azurerm"
       version = ">=3.0.0" #tftest
     }
     google-beta = {

From c4c76d2ed1fc232697b4213fcd4929d25d790227 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Tue, 28 May 2024 15:03:07 -0400
Subject: [PATCH 05/37] fixed bad references

---
 modules/github-azure-oidc/oidc.tf    | 2 +-
 modules/github-azure-oidc/outputs.tf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index 65345e0..204a917 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -6,7 +6,7 @@ locals {
   organizations_repo_name = "organizations"
 
   state_file_access_roles = tolist([{
-    scope                = "${azurerm_storage_container.azurerm_storage_container.resource_manager_id}"
+    scope                = "${azurerm_storage_container.github_foundations_tf_state_container.resource_manager_id}"
     role_definition_name = "Storage Blob Data Contributor"
   }])
 
diff --git a/modules/github-azure-oidc/outputs.tf b/modules/github-azure-oidc/outputs.tf
index 662e3b6..2525295 100644
--- a/modules/github-azure-oidc/outputs.tf
+++ b/modules/github-azure-oidc/outputs.tf
@@ -25,7 +25,7 @@ output "subscription_id" {
 
 output "sa_name" {
   description = "Terraform state container storage account name."
-  value       = azurerm_storage_account.azurerm_storage_account.name
+  value       = azurerm_storage_account.github_foundations_sa.name
 }
 
 output "container_name" {

From 93355531bc115f7a1d5cff4593d3a920890b5e64 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Tue, 28 May 2024 15:03:14 -0400
Subject: [PATCH 06/37] fixed variable validation

---
 modules/github-azure-oidc/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/variables.tf b/modules/github-azure-oidc/variables.tf
index b1f1bf5..7eaab01 100644
--- a/modules/github-azure-oidc/variables.tf
+++ b/modules/github-azure-oidc/variables.tf
@@ -62,7 +62,7 @@ variable "tf_state_container_default_encryption_scope" {
     storage_account_id = ""
   }
   validation {
-    condition     = var.tf_state_container_default_encryption_scope.source == "Microsoft.KeyVault" && var.tf_state_container_default_encryption_scope.key_vault_key_id == null
+    condition     = var.name == "" || var.tf_state_container_default_encryption_scope.source != "Microsoft.KeyVault" || (var.tf_state_container_default_encryption_scope.source == "Microsoft.KeyVault" && var.tf_state_container_default_encryption_scope.key_vault_key_id == null)
     error_message = "Key vault key id must be set when source is \"Microsoft.KeyVault\"."
   }
 }

From 47a871cb6756908274996f5d293404d64ab2670c Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Tue, 28 May 2024 15:04:06 -0400
Subject: [PATCH 07/37] fixed variable validation

---
 modules/github-azure-oidc/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/variables.tf b/modules/github-azure-oidc/variables.tf
index 7eaab01..e4073a7 100644
--- a/modules/github-azure-oidc/variables.tf
+++ b/modules/github-azure-oidc/variables.tf
@@ -62,7 +62,7 @@ variable "tf_state_container_default_encryption_scope" {
     storage_account_id = ""
   }
   validation {
-    condition     = var.name == "" || var.tf_state_container_default_encryption_scope.source != "Microsoft.KeyVault" || (var.tf_state_container_default_encryption_scope.source == "Microsoft.KeyVault" && var.tf_state_container_default_encryption_scope.key_vault_key_id == null)
+    condition     = var.tf_state_container_default_encryption_scope.name == "" || var.tf_state_container_default_encryption_scope.source != "Microsoft.KeyVault" || (var.tf_state_container_default_encryption_scope.source == "Microsoft.KeyVault" && var.tf_state_container_default_encryption_scope.key_vault_key_id == null)
     error_message = "Key vault key id must be set when source is \"Microsoft.KeyVault\"."
   }
 }

From fae167c12ceaa9ffc262944e814268eac1e8f1fd Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Tue, 28 May 2024 15:05:05 -0400
Subject: [PATCH 08/37] fixed variable reference

---
 modules/github-azure-oidc/storage.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/storage.tf b/modules/github-azure-oidc/storage.tf
index 585a901..2242cfc 100644
--- a/modules/github-azure-oidc/storage.tf
+++ b/modules/github-azure-oidc/storage.tf
@@ -22,6 +22,6 @@ resource "azurerm_storage_container" "github_foundations_tf_state_container" {
   name                              = var.tf_state_container
   storage_account_name              = azurerm_storage_account.github_foundations_sa.name
   container_access_type             = var.tf_state_container_anonymous_access_level
-  default_encryption_scope          = local.default_encryption_scope
+  default_encryption_scope          = local.default_encryption_scope.name
   encryption_scope_override_enabled = var.tf_state_container_encryption_scope_override_enabled
 }
\ No newline at end of file

From 44a230341ad7f479cb5a52a5cfffcbf2bd89f28a Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Tue, 28 May 2024 15:06:50 -0400
Subject: [PATCH 09/37] fixed variable validation

---
 modules/github-foundations/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-foundations/variables.tf b/modules/github-foundations/variables.tf
index 6cbad6b..bffd7f8 100644
--- a/modules/github-foundations/variables.tf
+++ b/modules/github-foundations/variables.tf
@@ -73,7 +73,7 @@ variable "oidc_configuration" {
     }))
   })
   validation {
-    condition     = var.oidc_configuration.gcp != null || var.oidc_configuration.custom != null
+    condition     = var.oidc_configuration.gcp != null || var.oidc_configuration.custom != null || var.oidc_configuration.azure != null
     error_message = "At least one oidc_configuration must be set."
   }
 }

From 4ca15afd2cb8ffdeb00c5bbae4865359beb8970f Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Tue, 28 May 2024 15:06:56 -0400
Subject: [PATCH 10/37] fixed data source reference

---
 modules/github-azure-oidc/oidc.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index 204a917..859c27c 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -15,7 +15,7 @@ locals {
   organizations_project_roles = concat(
     local.state_file_access_roles,
     tolist([{
-      scope                = "${azurerm_key_vault.key_vault.id}"
+      scope                = "${data.azurerm_key_vault.key_vault.id}"
       role_definition_name = "Key Vault Secrets User"
     }])
     # tolist([

From f13fef175a3f25e86afe300529d9c070afeb4b48 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Wed, 29 May 2024 10:02:13 -0400
Subject: [PATCH 11/37] fix variable reference

---
 modules/github-azure-oidc/storage.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/storage.tf b/modules/github-azure-oidc/storage.tf
index 2242cfc..5c70703 100644
--- a/modules/github-azure-oidc/storage.tf
+++ b/modules/github-azure-oidc/storage.tf
@@ -22,6 +22,6 @@ resource "azurerm_storage_container" "github_foundations_tf_state_container" {
   name                              = var.tf_state_container
   storage_account_name              = azurerm_storage_account.github_foundations_sa.name
   container_access_type             = var.tf_state_container_anonymous_access_level
-  default_encryption_scope          = local.default_encryption_scope.name
+  default_encryption_scope          = try(azurerm_storage_encryption_scope.encryption_scope[0].name, null)
   encryption_scope_override_enabled = var.tf_state_container_encryption_scope_override_enabled
 }
\ No newline at end of file

From 74ba55aab026a3772a21e2b0fcb5dcbcf164b152 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Wed, 29 May 2024 10:12:06 -0400
Subject: [PATCH 12/37] trying something

---
 modules/github-azure-oidc/storage.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/storage.tf b/modules/github-azure-oidc/storage.tf
index 5c70703..8888a99 100644
--- a/modules/github-azure-oidc/storage.tf
+++ b/modules/github-azure-oidc/storage.tf
@@ -22,6 +22,6 @@ resource "azurerm_storage_container" "github_foundations_tf_state_container" {
   name                              = var.tf_state_container
   storage_account_name              = azurerm_storage_account.github_foundations_sa.name
   container_access_type             = var.tf_state_container_anonymous_access_level
-  default_encryption_scope          = try(azurerm_storage_encryption_scope.encryption_scope[0].name, null)
+  default_encryption_scope          = null
   encryption_scope_override_enabled = var.tf_state_container_encryption_scope_override_enabled
 }
\ No newline at end of file

From e983ade6f27d045b4f6c120afadf81dc7bb2c132 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Wed, 29 May 2024 10:13:18 -0400
Subject: [PATCH 13/37] trying something else

---
 modules/github-azure-oidc/storage.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/github-azure-oidc/storage.tf b/modules/github-azure-oidc/storage.tf
index 8888a99..05e3c99 100644
--- a/modules/github-azure-oidc/storage.tf
+++ b/modules/github-azure-oidc/storage.tf
@@ -22,6 +22,5 @@ resource "azurerm_storage_container" "github_foundations_tf_state_container" {
   name                              = var.tf_state_container
   storage_account_name              = azurerm_storage_account.github_foundations_sa.name
   container_access_type             = var.tf_state_container_anonymous_access_level
-  default_encryption_scope          = null
   encryption_scope_override_enabled = var.tf_state_container_encryption_scope_override_enabled
 }
\ No newline at end of file

From 8bb1fb0f02454261c52a7547e474c51f6029425a Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Wed, 29 May 2024 10:14:24 -0400
Subject: [PATCH 14/37] trying something else

---
 modules/github-azure-oidc/storage.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/github-azure-oidc/storage.tf b/modules/github-azure-oidc/storage.tf
index 05e3c99..5e7306c 100644
--- a/modules/github-azure-oidc/storage.tf
+++ b/modules/github-azure-oidc/storage.tf
@@ -22,5 +22,4 @@ resource "azurerm_storage_container" "github_foundations_tf_state_container" {
   name                              = var.tf_state_container
   storage_account_name              = azurerm_storage_account.github_foundations_sa.name
   container_access_type             = var.tf_state_container_anonymous_access_level
-  encryption_scope_override_enabled = var.tf_state_container_encryption_scope_override_enabled
 }
\ No newline at end of file

From 28a72062bffe06bd76ba847da317e05c8a914a0c Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Wed, 29 May 2024 10:19:43 -0400
Subject: [PATCH 15/37] fixed default encryption scope variable

---
 modules/github-azure-oidc/storage.tf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/storage.tf b/modules/github-azure-oidc/storage.tf
index 5e7306c..5897d9d 100644
--- a/modules/github-azure-oidc/storage.tf
+++ b/modules/github-azure-oidc/storage.tf
@@ -1,5 +1,5 @@
 locals {
-  default_encryption_scope = var.tf_state_container_default_encryption_scope.name != "" ? var.tf_state_container_default_encryption_scope : null
+  default_encryption_scope = var.tf_state_container_default_encryption_scope.name != "" ? azurerm_storage_encryption_scope.encryption_scope[0].name : null
 }
 
 resource "azurerm_storage_account" "github_foundations_sa" {
@@ -22,4 +22,6 @@ resource "azurerm_storage_container" "github_foundations_tf_state_container" {
   name                              = var.tf_state_container
   storage_account_name              = azurerm_storage_account.github_foundations_sa.name
   container_access_type             = var.tf_state_container_anonymous_access_level
+  default_encryption_scope          = local.default_encryption_scope
+  encryption_scope_override_enabled = var.tf_state_container_encryption_scope_override_enabled
 }
\ No newline at end of file

From 7a6c642b49549615c0215ab94553e76bbbcff294 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Wed, 29 May 2024 10:23:47 -0400
Subject: [PATCH 16/37] I can't believe I have to work around another terraform
 provider bug

---
 modules/github-azure-oidc/oidc.tf    | 2 +-
 modules/github-azure-oidc/outputs.tf | 2 +-
 modules/github-azure-oidc/storage.tf | 9 +++++++++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index 859c27c..35f6fa9 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -6,7 +6,7 @@ locals {
   organizations_repo_name = "organizations"
 
   state_file_access_roles = tolist([{
-    scope                = "${azurerm_storage_container.github_foundations_tf_state_container.resource_manager_id}"
+    scope                = "${local.tf_state_container.resource_manager_id}"
     role_definition_name = "Storage Blob Data Contributor"
   }])
 
diff --git a/modules/github-azure-oidc/outputs.tf b/modules/github-azure-oidc/outputs.tf
index 2525295..d698df6 100644
--- a/modules/github-azure-oidc/outputs.tf
+++ b/modules/github-azure-oidc/outputs.tf
@@ -30,5 +30,5 @@ output "sa_name" {
 
 output "container_name" {
   description = "Terraform state container name."
-  value       = azurerm_storage_container.github_foundations_tf_state_container.name
+  value       = local.tf_state_container.name
 }
\ No newline at end of file
diff --git a/modules/github-azure-oidc/storage.tf b/modules/github-azure-oidc/storage.tf
index 5897d9d..f8511b0 100644
--- a/modules/github-azure-oidc/storage.tf
+++ b/modules/github-azure-oidc/storage.tf
@@ -1,5 +1,6 @@
 locals {
   default_encryption_scope = var.tf_state_container_default_encryption_scope.name != "" ? azurerm_storage_encryption_scope.encryption_scope[0].name : null
+  tf_state_container = local.default_encryption_scope == null ? azurerm_storage_container.github_foundations_tf_state_container[0] : azurerm_storage_container.github_foundations_tf_state_encrypted_container[0]
 }
 
 resource "azurerm_storage_account" "github_foundations_sa" {
@@ -19,6 +20,14 @@ resource "azurerm_storage_encryption_scope" "encryption_scope" {
 }
 
 resource "azurerm_storage_container" "github_foundations_tf_state_container" {
+  count = local.default_encryption_scope == null ? 1 : 0 
+  name                              = var.tf_state_container
+  storage_account_name              = azurerm_storage_account.github_foundations_sa.name
+  container_access_type             = var.tf_state_container_anonymous_access_level
+}
+
+resource "azurerm_storage_container" "github_foundations_tf_state_encrypted_container" {
+  count = local.default_encryption_scope != null ? 1 : 0
   name                              = var.tf_state_container
   storage_account_name              = azurerm_storage_account.github_foundations_sa.name
   container_access_type             = var.tf_state_container_anonymous_access_level

From 24e27c5f3c4937ce35df07fee5f503b4994077b8 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Wed, 29 May 2024 10:38:34 -0400
Subject: [PATCH 17/37] change it from being a set

---
 modules/github-azure-oidc/oidc.tf | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index 35f6fa9..18e5c9e 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -18,11 +18,6 @@ locals {
       scope                = "${data.azurerm_key_vault.key_vault.id}"
       role_definition_name = "Key Vault Secrets User"
     }])
-    # tolist([
-    #   "roles/secretmanager.viewer",
-    #   "roles/secretmanager.secretAccessor",
-    #   "roles/iam.workloadIdentityUser"
-    # ])
   )
 }
 
@@ -44,7 +39,7 @@ resource "azurerm_user_assigned_identity" "bootstrap_identity" {
 }
 
 resource "azurerm_role_assignment" "bootstrap_role_assignment" {
-  for_each             = toset(local.bootstrap_project_roles)
+  for_each             = local.bootstrap_project_roles
   scope                = each.value.scope
   role_definition_name = each.value.role_definition_name
   principal_id         = azurerm_user_assigned_identity.bootstrap_identity.principal_id
@@ -57,7 +52,7 @@ resource "azurerm_user_assigned_identity" "organization_identity" {
 }
 
 resource "azurerm_role_assignment" "organization_role_assignment" {
-  for_each             = toset(local.organizations_project_roles)
+  for_each             = local.organizations_project_roles
   scope                = each.value.scope
   role_definition_name = each.value.role_definition_name
   principal_id         = azurerm_user_assigned_identity.organization_identity.principal_id

From ebbab31870a0e7d272061389613698139dbea424 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Wed, 29 May 2024 10:41:38 -0400
Subject: [PATCH 18/37] changed to a map

---
 modules/github-azure-oidc/oidc.tf | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index 18e5c9e..5b3d1e4 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -5,19 +5,23 @@ locals {
   bootstrap_repo_name     = "bootstrap"
   organizations_repo_name = "organizations"
 
-  state_file_access_roles = tolist([{
-    scope                = "${local.tf_state_container.resource_manager_id}"
-    role_definition_name = "Storage Blob Data Contributor"
-  }])
+  state_file_access_roles = {
+    "${local.tf_state_container.name}-write" = {
+      scope                = "${local.tf_state_container.resource_manager_id}"
+      role_definition_name = "Storage Blob Data Contributor"
+    }
+  }
 
   bootstrap_project_roles = local.state_file_access_roles
 
-  organizations_project_roles = concat(
+  organizations_project_roles = merge(
     local.state_file_access_roles,
-    tolist([{
-      scope                = "${data.azurerm_key_vault.key_vault.id}"
-      role_definition_name = "Key Vault Secrets User"
-    }])
+    {
+      "${data.azurerm_key_vault.key_vault.id}-read" = {
+        scope                = "${data.azurerm_key_vault.key_vault.id}"
+        role_definition_name = "Key Vault Secrets User"
+      }
+    }
   )
 }
 
@@ -92,4 +96,4 @@ resource "azurerm_federated_identity_credential" "organization_drift_credentials
   issuer              = local.github_issuer_url
   parent_id           = azurerm_user_assigned_identity.organization_identity.id
   subject             = "repo:${var.github_foundations_organization_name}/${local.organizations_repo_name}:ref:refs/heads/${var.drift_detection_branch_name}"
-}
\ No newline at end of file
+}

From 752da7fdf54027be2d15ead42d9003ade7c86454 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Wed, 29 May 2024 10:42:51 -0400
Subject: [PATCH 19/37] fix role keys

---
 modules/github-azure-oidc/oidc.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index 5b3d1e4..fcc4fdb 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -6,7 +6,7 @@ locals {
   organizations_repo_name = "organizations"
 
   state_file_access_roles = {
-    "${local.tf_state_container.name}-write" = {
+    "container-${local.tf_state_container.name}-write" = {
       scope                = "${local.tf_state_container.resource_manager_id}"
       role_definition_name = "Storage Blob Data Contributor"
     }
@@ -17,7 +17,7 @@ locals {
   organizations_project_roles = merge(
     local.state_file_access_roles,
     {
-      "${data.azurerm_key_vault.key_vault.id}-read" = {
+      "keyvault-${data.azurerm_key_vault.key_vault.name}-read" = {
         scope                = "${data.azurerm_key_vault.key_vault.id}"
         role_definition_name = "Key Vault Secrets User"
       }

From 5f18f53b80067479bc95865ba3bd8a6af9d8d7da Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Wed, 29 May 2024 10:48:48 -0400
Subject: [PATCH 20/37] fixing outputs

---
 modules/github-azure-oidc/outputs.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/outputs.tf b/modules/github-azure-oidc/outputs.tf
index d698df6..d26968a 100644
--- a/modules/github-azure-oidc/outputs.tf
+++ b/modules/github-azure-oidc/outputs.tf
@@ -1,6 +1,6 @@
 output "resource_group" {
   description = "Resource group name."
-  value       = local.github_foundations_rg
+  value       = local.github_foundations_rg.name
 }
 
 output "bootstrap_client_id" {

From c6162cd5fd0727e4f2d7f4b452123a30c85f2d0d Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Thu, 30 May 2024 09:07:51 -0400
Subject: [PATCH 21/37] changed some secrest to variables

---
 .../azure-oidc-variables.tf                   | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/modules/github-foundations/azure-oidc-variables.tf b/modules/github-foundations/azure-oidc-variables.tf
index eaca04f..8719b9e 100644
--- a/modules/github-foundations/azure-oidc-variables.tf
+++ b/modules/github-foundations/azure-oidc-variables.tf
@@ -26,11 +26,11 @@ resource "github_actions_organization_secret" "tenant_id" {
   ]
 }
 
-resource "github_actions_organization_secret" "subscription_id" {
+resource "github_actions_organization_variable" "subscription_id" {
   count = var.oidc_configuration.azure != null ? 1 : 0
 
-  secret_name     = coalesce(var.oidc_configuration.azure.subscription_id_variable_name, "AZURE_SUBSCRIPTION_ID")
-  plaintext_value = var.oidc_configuration.azure.subscription_id
+  variable_name     = coalesce(var.oidc_configuration.azure.subscription_id_variable_name, "AZURE_SUBSCRIPTION_ID")
+  value = var.oidc_configuration.azure.subscription_id
   visibility      = "selected"
   selected_repository_ids = [
     github_repository.bootstrap_repo.repo_id,
@@ -38,11 +38,11 @@ resource "github_actions_organization_secret" "subscription_id" {
   ]
 }
 
-resource "github_actions_organization_secret" "resource_group_name" {
+resource "github_actions_organization_variable" "resource_group_name" {
   count = var.oidc_configuration.azure != null ? 1 : 0
 
-  secret_name     = coalesce(var.oidc_configuration.azure.resource_group_name_variable_name, "AZURE_RESOURCE_GROUP_NAME")
-  plaintext_value = var.oidc_configuration.azure.resource_group_name
+  variable_name     = coalesce(var.oidc_configuration.azure.resource_group_name_variable_name, "AZURE_RESOURCE_GROUP_NAME")
+  value = var.oidc_configuration.azure.resource_group_name
   visibility      = "selected"
   selected_repository_ids = [
     github_repository.bootstrap_repo.repo_id,
@@ -50,11 +50,11 @@ resource "github_actions_organization_secret" "resource_group_name" {
   ]
 }
 
-resource "github_actions_organization_secret" "storage_account_name" {
+resource "github_actions_organization_variable" "storage_account_name" {
   count = var.oidc_configuration.azure != null ? 1 : 0
 
-  secret_name     = coalesce(var.oidc_configuration.azure.storage_account_name_variable_name, "AZURE_STORAGE_ACCOUNT_NAME")
-  plaintext_value = var.oidc_configuration.azure.storage_account_name
+  variable_name     = coalesce(var.oidc_configuration.azure.storage_account_name_variable_name, "AZURE_STORAGE_ACCOUNT_NAME")
+  value = var.oidc_configuration.azure.storage_account_name
   visibility      = "selected"
   selected_repository_ids = [
     github_repository.bootstrap_repo.repo_id,
@@ -62,11 +62,11 @@ resource "github_actions_organization_secret" "storage_account_name" {
   ]
 }
 
-resource "github_actions_organization_secret" "container_name" {
+resource "github_actions_organization_variable" "container_name" {
   count = var.oidc_configuration.azure != null ? 1 : 0
 
-  secret_name     = coalesce(var.oidc_configuration.azure.container_name_variable_name, "AZURE_CONTAINER_NAME")
-  plaintext_value = var.oidc_configuration.azure.container_name
+  variable_name     = coalesce(var.oidc_configuration.azure.container_name_variable_name, "AZURE_CONTAINER_NAME")
+  value = var.oidc_configuration.azure.container_name
   visibility      = "selected"
   selected_repository_ids = [
     github_repository.bootstrap_repo.repo_id,

From 65739c528c45b2dcfc6ddd16887528c266c3dcf8 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Thu, 30 May 2024 10:54:04 -0400
Subject: [PATCH 22/37] added keyvault reader

---
 modules/github-azure-oidc/oidc.tf | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index fcc4fdb..b09be96 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -17,10 +17,16 @@ locals {
   organizations_project_roles = merge(
     local.state_file_access_roles,
     {
-      "keyvault-${data.azurerm_key_vault.key_vault.name}-read" = {
+      "keyvault-${data.azurerm_key_vault.key_vault.name}-secret-read" = {
         scope                = "${data.azurerm_key_vault.key_vault.id}"
         role_definition_name = "Key Vault Secrets User"
       }
+    },
+    {
+      "keyvault-${data.azurerm_key_vault.key_vault.name}-vault-read" = {
+        scope                = "${data.azurerm_key_vault.key_vault.id}"
+        role_definition_name = "Key Vault Reader"
+      }
     }
   )
 }

From d0f31dccbb0f7e29419620511c61539956899581 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Thu, 30 May 2024 10:58:43 -0400
Subject: [PATCH 23/37] changed contributor permissions to owner

---
 modules/github-azure-oidc/oidc.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index b09be96..a6ede88 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -8,7 +8,7 @@ locals {
   state_file_access_roles = {
     "container-${local.tf_state_container.name}-write" = {
       scope                = "${local.tf_state_container.resource_manager_id}"
-      role_definition_name = "Storage Blob Data Contributor"
+      role_definition_name = "Storage Blob Data Owner"
     }
   }
 

From aa9ac650cb1676db6dc1cd471aa274a4ecde4347 Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Thu, 30 May 2024 11:19:43 -0400
Subject: [PATCH 24/37] adding storage account contributor

---
 modules/github-azure-oidc/oidc.tf | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index a6ede88..90d42e7 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -8,7 +8,11 @@ locals {
   state_file_access_roles = {
     "container-${local.tf_state_container.name}-write" = {
       scope                = "${local.tf_state_container.resource_manager_id}"
-      role_definition_name = "Storage Blob Data Owner"
+      role_definition_name = "Storage Blob Data Contributor"
+    },
+    "storage-account-${azurerm_storage_account.github_foundations_sa.name}-contributor" = {
+      scope = "${azurerm_storage_account.github_foundations_sa.id}"
+      role_definition_name = "Storage Account Contributor"
     }
   }
 

From 83006a46c57b184159b4cd39444e5c4dcf056bb4 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 30 May 2024 15:57:33 +0000
Subject: [PATCH 25/37] terraform-docs: automated action

---
 modules/github-azure-oidc/README.md  | 70 ++++++++++++++++++++++++++++
 modules/github-foundations/README.md |  9 +++-
 2 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 modules/github-azure-oidc/README.md

diff --git a/modules/github-azure-oidc/README.md b/modules/github-azure-oidc/README.md
new file mode 100644
index 0000000..9a0ceaa
--- /dev/null
+++ b/modules/github-azure-oidc/README.md
@@ -0,0 +1,70 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >=3.0.0 |
+| <a name="requirement_google-beta"></a> [google-beta](#requirement\_google-beta) | >= 3.77 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.6 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >=3.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_federated_identity_credential.bootstrap_drift_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_federated_identity_credential.bootstrap_pull_request_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_federated_identity_credential.organization_drift_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_federated_identity_credential.organization_pull_request_credentials](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/federated_identity_credential) | resource |
+| [azurerm_resource_group.github_foundations_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_role_assignment.bootstrap_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.organization_role_assignment](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_storage_account.github_foundations_sa](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource |
+| [azurerm_storage_container.github_foundations_tf_state_container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
+| [azurerm_storage_container.github_foundations_tf_state_encrypted_container](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
+| [azurerm_storage_encryption_scope.encryption_scope](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_encryption_scope) | resource |
+| [azurerm_user_assigned_identity.bootstrap_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_user_assigned_identity.organization_identity](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/user_assigned_identity) | resource |
+| [azurerm_client_config.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/client_config) | data source |
+| [azurerm_key_vault.key_vault](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/key_vault) | data source |
+| [azurerm_resource_group.github_foundations_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_drift_detection_branch_name"></a> [drift\_detection\_branch\_name](#input\_drift\_detection\_branch\_name) | The name of the branch to use for drift detection. | `string` | n/a | yes |
+| <a name="input_github_foundations_organization_name"></a> [github\_foundations\_organization\_name](#input\_github\_foundations\_organization\_name) | The name of the organization that the github foundation repos will be under. | `string` | n/a | yes |
+| <a name="input_kv_name"></a> [kv\_name](#input\_kv\_name) | The name of the key vault to use for github foundation secrets. | `string` | n/a | yes |
+| <a name="input_kv_resource_group"></a> [kv\_resource\_group](#input\_kv\_resource\_group) | The name of the resource group that the key vault is in. If empty it will default to the github foundations resource group. | `string` | n/a | yes |
+| <a name="input_rg_create"></a> [rg\_create](#input\_rg\_create) | Create resource group. When set to false, uses id to reference an existing resource group. | `bool` | `true` | no |
+| <a name="input_rg_location"></a> [rg\_location](#input\_rg\_location) | The location of the resource group to create the github foundation azure resources in. | `string` | n/a | yes |
+| <a name="input_rg_name"></a> [rg\_name](#input\_rg\_name) | The name of the resource group to create the github foundation azure resources in. | `string` | n/a | yes |
+| <a name="input_sa_name"></a> [sa\_name](#input\_sa\_name) | The name of the storage account for github foundations. | `string` | n/a | yes |
+| <a name="input_sa_replication_type"></a> [sa\_replication\_type](#input\_sa\_replication\_type) | The replication type of the storage account for github foundations. Valid options are LRS, GRS, RAGRS, ZRS, GZRS, and RA\_GZRS. | `string` | n/a | yes |
+| <a name="input_sa_tier"></a> [sa\_tier](#input\_sa\_tier) | The tier of the storage account for github foundations. Valid options are Standard and Premium. | `string` | n/a | yes |
+| <a name="input_tf_state_container"></a> [tf\_state\_container](#input\_tf\_state\_container) | The name of the container to store the terraform state file(s) in. | `string` | `"tfstate"` | no |
+| <a name="input_tf_state_container_anonymous_access_level"></a> [tf\_state\_container\_anonymous\_access\_level](#input\_tf\_state\_container\_anonymous\_access\_level) | The anonymous access level of the container to store the terraform state file(s) in. | `string` | `"private"` | no |
+| <a name="input_tf_state_container_default_encryption_scope"></a> [tf\_state\_container\_default\_encryption\_scope](#input\_tf\_state\_container\_default\_encryption\_scope) | The default encryption scope of the container to store the terraform state file(s) in. | <pre>object({<br>    name             = string<br>    source           = string<br>    key_vault_key_id = optional(string)<br>  })</pre> | <pre>{<br>  "name": "",<br>  "source": "",<br>  "storage_account_id": ""<br>}</pre> | no |
+| <a name="input_tf_state_container_encryption_scope_override_enabled"></a> [tf\_state\_container\_encryption\_scope\_override\_enabled](#input\_tf\_state\_container\_encryption\_scope\_override\_enabled) | Whether or not the encryption scope override is enabled for the container to store the terraform state file(s) in. Defaults to false | `bool` | `false` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_bootstrap_client_id"></a> [bootstrap\_client\_id](#output\_bootstrap\_client\_id) | Bootstrap repository client id for authenticating with oidc. |
+| <a name="output_container_name"></a> [container\_name](#output\_container\_name) | Terraform state container name. |
+| <a name="output_organization_client_id"></a> [organization\_client\_id](#output\_organization\_client\_id) | Organizations repository client id for authenticating with oidc. |
+| <a name="output_resource_group"></a> [resource\_group](#output\_resource\_group) | Resource group name. |
+| <a name="output_sa_name"></a> [sa\_name](#output\_sa\_name) | Terraform state container storage account name. |
+| <a name="output_subscription_id"></a> [subscription\_id](#output\_subscription\_id) | Azure subscription id for authenticating with oidc. |
+| <a name="output_tenant_id"></a> [tenant\_id](#output\_tenant\_id) | Azure tenant id for authenticating with oidc. |
\ No newline at end of file
diff --git a/modules/github-foundations/README.md b/modules/github-foundations/README.md
index c5c70c7..b96a1b6 100644
--- a/modules/github-foundations/README.md
+++ b/modules/github-foundations/README.md
@@ -24,11 +24,18 @@
 | Name | Type |
 |------|------|
 | [github_actions_organization_secret.custom_oidc_organization_secret](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
+| [github_actions_organization_secret.tenant_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
 | [github_actions_organization_secret.workload_identity_provider](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_secret) | resource |
+| [github_actions_organization_variable.container_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.custom_oidc_organization_variable](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.resource_group_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.storage_account_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_organization_variable.subscription_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.tf_state_bucket_location](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.tf_state_bucket_name](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
 | [github_actions_organization_variable.tf_state_bucket_project_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_organization_variable) | resource |
+| [github_actions_secret.bootstrap_managed_identity_client_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
+| [github_actions_secret.organization_managed_identity_client_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
 | [github_actions_secret.organization_workload_identity_sa](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
 | [github_actions_secret.repository_secret](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_secret) | resource |
 | [github_actions_variable.gcp_secret_manager_project_id](https://registry.terraform.io/providers/integrations/github/latest/docs/resources/actions_variable) | resource |
@@ -49,7 +56,7 @@
 | <a name="input_account_type"></a> [account\_type](#input\_account\_type) | The type of GitHub account being used. Should be one of either `Personal`, `Organization`, or `Enterprise`. | `string` | n/a | yes |
 | <a name="input_bootstrap_repository_name"></a> [bootstrap\_repository\_name](#input\_bootstrap\_repository\_name) | The name of the bootstrap repository. | `string` | `"bootstrap"` | no |
 | <a name="input_foundation_devs_team_name"></a> [foundation\_devs\_team\_name](#input\_foundation\_devs\_team\_name) | The name of the foundation developers team. | `string` | `"foundation-devs"` | no |
-| <a name="input_oidc_configuration"></a> [oidc\_configuration](#input\_oidc\_configuration) | n/a | <pre>object({<br>    gcp = optional(object({<br>      workload_identity_provider_name_secret_name = optional(string)<br>      workload_identity_provider_name             = string<br><br>      organization_workload_identity_sa_secret_name = optional(string)<br>      organization_workload_identity_sa             = string<br><br>      gcp_secret_manager_project_id_variable_name = optional(string)<br>      gcp_secret_manager_project_id               = string<br><br>      gcp_tf_state_bucket_project_id_variable_name = optional(string)<br>      gcp_tf_state_bucket_project_id               = string<br><br>      bucket_name_variable_name = optional(string)<br>      bucket_name               = string<br><br>      bucket_location_variable_name = optional(string)<br>      bucket_location               = string<br>    }))<br>    custom = optional(object({<br>      organization_secrets   = map(string)<br>      organization_variables = map(string)<br>      repository_secrets     = map(map(string))<br>      repository_variables   = map(map(string))<br>    }))<br>  })</pre> | n/a | yes |
+| <a name="input_oidc_configuration"></a> [oidc\_configuration](#input\_oidc\_configuration) | n/a | <pre>object({<br>    gcp = optional(object({<br>      workload_identity_provider_name_secret_name = optional(string)<br>      workload_identity_provider_name             = string<br><br>      organization_workload_identity_sa_secret_name = optional(string)<br>      organization_workload_identity_sa             = string<br><br>      gcp_secret_manager_project_id_variable_name = optional(string)<br>      gcp_secret_manager_project_id               = string<br><br>      gcp_tf_state_bucket_project_id_variable_name = optional(string)<br>      gcp_tf_state_bucket_project_id               = string<br><br>      bucket_name_variable_name = optional(string)<br>      bucket_name               = string<br><br>      bucket_location_variable_name = optional(string)<br>      bucket_location               = string<br>    }))<br>    azure = optional(object({<br>      bootstrap_client_id_variable_name = optional(string)<br>      bootstrap_client_id               = string<br><br>      organization_client_id_variable_name = optional(string)<br>      organization_client_id               = string<br><br>      tenant_id_variable_name = optional(string)<br>      tenant_id               = string<br><br>      subscription_id_variable_name = optional(string)<br>      subscription_id               = string<br><br>      resource_group_name_variable_name = optional(string)<br>      resource_group_name               = string<br><br>      storage_account_name_variable_name = optional(string)<br>      storage_account_name               = string<br><br>      container_name_variable_name = optional(string)<br>      container_name               = string<br>    }))<br>    custom = optional(object({<br>      organization_secrets   = map(string)<br>      organization_variables = map(string)<br>      repository_secrets     = map(map(string))<br>      repository_variables   = map(map(string))<br>    }))<br>  })</pre> | n/a | yes |
 | <a name="input_organizations_repository_name"></a> [organizations\_repository\_name](#input\_organizations\_repository\_name) | The name of the organizations repository. | `string` | `"organizations"` | no |
 | <a name="input_readme_path"></a> [readme\_path](#input\_readme\_path) | Local Path to the README file in your current codebase. Pushed to the github foundation repository. | `string` | `""` | no |
 

From 550e1007db479807f3f98612c288b02295a17e0a Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Thu, 30 May 2024 13:48:58 -0400
Subject: [PATCH 26/37] making kv_name optional so user's can bring a different
 secret store if theywant

---
 modules/github-azure-oidc/oidc.tf      | 9 +++++----
 modules/github-azure-oidc/variables.tf | 5 +++--
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index 90d42e7..c108be9 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -20,24 +20,25 @@ locals {
 
   organizations_project_roles = merge(
     local.state_file_access_roles,
-    {
+    var.kv_name != "" ? {
       "keyvault-${data.azurerm_key_vault.key_vault.name}-secret-read" = {
         scope                = "${data.azurerm_key_vault.key_vault.id}"
         role_definition_name = "Key Vault Secrets User"
       }
-    },
-    {
+    }: {},
+    var.kv_name != "" ? {
       "keyvault-${data.azurerm_key_vault.key_vault.name}-vault-read" = {
         scope                = "${data.azurerm_key_vault.key_vault.id}"
         role_definition_name = "Key Vault Reader"
       }
-    }
+    }: {}
   )
 }
 
 data "azurerm_client_config" "current" {}
 
 data "azurerm_key_vault" "key_vault" {
+  count =  var.kv_name != "" ? 1 : 0
   name                = var.kv_name
   resource_group_name = var.kv_resource_group != "" ? var.kv_resource_group : local.github_foundations_rg.name
 }
diff --git a/modules/github-azure-oidc/variables.tf b/modules/github-azure-oidc/variables.tf
index e4073a7..7ba4f69 100644
--- a/modules/github-azure-oidc/variables.tf
+++ b/modules/github-azure-oidc/variables.tf
@@ -70,7 +70,8 @@ variable "tf_state_container_default_encryption_scope" {
 #Key Vault Variables
 variable "kv_name" {
   type        = string
-  description = "The name of the key vault to use for github foundation secrets."
+  description = "The name of the key vault to use for github foundation secrets. If storing secrets to authenticate against github in a different way then this does not need to be set. (Optional)"
+  default     = ""
 }
 
 variable "kv_resource_group" {
@@ -88,4 +89,4 @@ variable "github_foundations_organization_name" {
 variable "drift_detection_branch_name" {
   type        = string
   description = "The name of the branch to use for drift detection."
-}
\ No newline at end of file
+}

From 408a84363b76bf5e307b9ff27250dd1aa0b6e8fb Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Thu, 30 May 2024 13:50:22 -0400
Subject: [PATCH 27/37] forgot to index

---
 modules/github-azure-oidc/oidc.tf | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index c108be9..fce82f6 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -21,14 +21,14 @@ locals {
   organizations_project_roles = merge(
     local.state_file_access_roles,
     var.kv_name != "" ? {
-      "keyvault-${data.azurerm_key_vault.key_vault.name}-secret-read" = {
-        scope                = "${data.azurerm_key_vault.key_vault.id}"
+      "keyvault-${data.azurerm_key_vault.key_vault[0].name}-secret-read" = {
+        scope                = "${data.azurerm_key_vault.key_vault[0].id}"
         role_definition_name = "Key Vault Secrets User"
       }
     }: {},
     var.kv_name != "" ? {
-      "keyvault-${data.azurerm_key_vault.key_vault.name}-vault-read" = {
-        scope                = "${data.azurerm_key_vault.key_vault.id}"
+      "keyvault-${data.azurerm_key_vault.key_vault[0].name}-vault-read" = {
+        scope                = "${data.azurerm_key_vault.key_vault[0].id}"
         role_definition_name = "Key Vault Reader"
       }
     }: {}

From 515a8a2f8de13d8dc72df75592d00dfe019aa50b Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 30 May 2024 17:51:01 +0000
Subject: [PATCH 28/37] terraform-docs: automated action

---
 modules/github-azure-oidc/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/README.md b/modules/github-azure-oidc/README.md
index 9a0ceaa..ec58921 100644
--- a/modules/github-azure-oidc/README.md
+++ b/modules/github-azure-oidc/README.md
@@ -44,7 +44,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_drift_detection_branch_name"></a> [drift\_detection\_branch\_name](#input\_drift\_detection\_branch\_name) | The name of the branch to use for drift detection. | `string` | n/a | yes |
 | <a name="input_github_foundations_organization_name"></a> [github\_foundations\_organization\_name](#input\_github\_foundations\_organization\_name) | The name of the organization that the github foundation repos will be under. | `string` | n/a | yes |
-| <a name="input_kv_name"></a> [kv\_name](#input\_kv\_name) | The name of the key vault to use for github foundation secrets. | `string` | n/a | yes |
+| <a name="input_kv_name"></a> [kv\_name](#input\_kv\_name) | The name of the key vault to use for github foundation secrets. If storing secrets to authenticate against github in a different way then this does not need to be set. (Optional) | `string` | `""` | no |
 | <a name="input_kv_resource_group"></a> [kv\_resource\_group](#input\_kv\_resource\_group) | The name of the resource group that the key vault is in. If empty it will default to the github foundations resource group. | `string` | n/a | yes |
 | <a name="input_rg_create"></a> [rg\_create](#input\_rg\_create) | Create resource group. When set to false, uses id to reference an existing resource group. | `bool` | `true` | no |
 | <a name="input_rg_location"></a> [rg\_location](#input\_rg\_location) | The location of the resource group to create the github foundation azure resources in. | `string` | n/a | yes |

From b413c1376aeb77d2606fa28f6459b7dd1fcb4d80 Mon Sep 17 00:00:00 2001
From: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
Date: Fri, 31 May 2024 09:10:35 -0400
Subject: [PATCH 29/37] Update modules/github-azure-oidc/oidc.tf

Co-authored-by: Ben Zarboni <99673202+bzarboni1@users.noreply.github.com>
Signed-off-by: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
---
 modules/github-azure-oidc/oidc.tf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index fce82f6..e1c6329 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -46,7 +46,6 @@ data "azurerm_key_vault" "key_vault" {
 /**
 * User assigned identities and roles for github state bucket and federated identity setup
 */
-
 resource "azurerm_user_assigned_identity" "bootstrap_identity" {
   location            = local.github_foundations_rg.location
   resource_group_name = local.github_foundations_rg.name

From c4123c98b3adee528f6675a76d3a326c5eef7261 Mon Sep 17 00:00:00 2001
From: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
Date: Fri, 31 May 2024 09:10:43 -0400
Subject: [PATCH 30/37] Update modules/github-azure-oidc/oidc.tf

Co-authored-by: Ben Zarboni <99673202+bzarboni1@users.noreply.github.com>
Signed-off-by: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
---
 modules/github-azure-oidc/oidc.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/oidc.tf b/modules/github-azure-oidc/oidc.tf
index e1c6329..10a1865 100644
--- a/modules/github-azure-oidc/oidc.tf
+++ b/modules/github-azure-oidc/oidc.tf
@@ -38,7 +38,7 @@ locals {
 data "azurerm_client_config" "current" {}
 
 data "azurerm_key_vault" "key_vault" {
-  count =  var.kv_name != "" ? 1 : 0
+  count                =  var.kv_name != "" ? 1 : 0
   name                = var.kv_name
   resource_group_name = var.kv_resource_group != "" ? var.kv_resource_group : local.github_foundations_rg.name
 }

From cfbbb05da1337b73a44f21f12a427e3dbc78735b Mon Sep 17 00:00:00 2001
From: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
Date: Fri, 31 May 2024 09:10:50 -0400
Subject: [PATCH 31/37] Update modules/github-azure-oidc/storage.tf

Co-authored-by: Ben Zarboni <99673202+bzarboni1@users.noreply.github.com>
Signed-off-by: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
---
 modules/github-azure-oidc/storage.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/storage.tf b/modules/github-azure-oidc/storage.tf
index f8511b0..e632fcd 100644
--- a/modules/github-azure-oidc/storage.tf
+++ b/modules/github-azure-oidc/storage.tf
@@ -20,7 +20,7 @@ resource "azurerm_storage_encryption_scope" "encryption_scope" {
 }
 
 resource "azurerm_storage_container" "github_foundations_tf_state_container" {
-  count = local.default_encryption_scope == null ? 1 : 0 
+  count                             = local.default_encryption_scope == null ? 1 : 0 
   name                              = var.tf_state_container
   storage_account_name              = azurerm_storage_account.github_foundations_sa.name
   container_access_type             = var.tf_state_container_anonymous_access_level

From e0af781abc067f51975457a678cee4a40280a514 Mon Sep 17 00:00:00 2001
From: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
Date: Fri, 31 May 2024 09:10:58 -0400
Subject: [PATCH 32/37] Update modules/github-azure-oidc/storage.tf

Co-authored-by: Ben Zarboni <99673202+bzarboni1@users.noreply.github.com>
Signed-off-by: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
---
 modules/github-azure-oidc/storage.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/storage.tf b/modules/github-azure-oidc/storage.tf
index e632fcd..ba6181f 100644
--- a/modules/github-azure-oidc/storage.tf
+++ b/modules/github-azure-oidc/storage.tf
@@ -27,7 +27,7 @@ resource "azurerm_storage_container" "github_foundations_tf_state_container" {
 }
 
 resource "azurerm_storage_container" "github_foundations_tf_state_encrypted_container" {
-  count = local.default_encryption_scope != null ? 1 : 0
+  count                             = local.default_encryption_scope != null ? 1 : 0
   name                              = var.tf_state_container
   storage_account_name              = azurerm_storage_account.github_foundations_sa.name
   container_access_type             = var.tf_state_container_anonymous_access_level

From 1602e30c69774b33500e5e73a6d9d7d5edb55a3d Mon Sep 17 00:00:00 2001
From: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
Date: Fri, 31 May 2024 09:11:18 -0400
Subject: [PATCH 33/37] Update modules/github-azure-oidc/variables.tf

Co-authored-by: Ben Zarboni <99673202+bzarboni1@users.noreply.github.com>
Signed-off-by: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
---
 modules/github-azure-oidc/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/github-azure-oidc/variables.tf b/modules/github-azure-oidc/variables.tf
index 7ba4f69..1cd0f5a 100644
--- a/modules/github-azure-oidc/variables.tf
+++ b/modules/github-azure-oidc/variables.tf
@@ -1,4 +1,4 @@
-#Resource Group Variables
+# Resource Group Variables
 variable "rg_create" {
   description = "Create resource group. When set to false, uses id to reference an existing resource group."
   type        = bool

From 36b189d9e38f627dd27851fe296912b2511fd136 Mon Sep 17 00:00:00 2001
From: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
Date: Fri, 31 May 2024 09:11:28 -0400
Subject: [PATCH 34/37] Update
 modules/github-foundations/azure-oidc-variables.tf

Co-authored-by: Ben Zarboni <99673202+bzarboni1@users.noreply.github.com>
Signed-off-by: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
---
 modules/github-foundations/azure-oidc-variables.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/github-foundations/azure-oidc-variables.tf b/modules/github-foundations/azure-oidc-variables.tf
index 8719b9e..7b00c2a 100644
--- a/modules/github-foundations/azure-oidc-variables.tf
+++ b/modules/github-foundations/azure-oidc-variables.tf
@@ -54,8 +54,8 @@ resource "github_actions_organization_variable" "storage_account_name" {
   count = var.oidc_configuration.azure != null ? 1 : 0
 
   variable_name     = coalesce(var.oidc_configuration.azure.storage_account_name_variable_name, "AZURE_STORAGE_ACCOUNT_NAME")
-  value = var.oidc_configuration.azure.storage_account_name
-  visibility      = "selected"
+  value             = var.oidc_configuration.azure.storage_account_name
+  visibility        = "selected"
   selected_repository_ids = [
     github_repository.bootstrap_repo.repo_id,
     github_repository.organizations_repo.repo_id

From ea1234993e36fdd593ac658c8d3e3bd5ef3cc713 Mon Sep 17 00:00:00 2001
From: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
Date: Fri, 31 May 2024 09:11:37 -0400
Subject: [PATCH 35/37] Update
 modules/github-foundations/azure-oidc-variables.tf

Co-authored-by: Ben Zarboni <99673202+bzarboni1@users.noreply.github.com>
Signed-off-by: TylerMizuyabu <tyler.mizuyabu@focisolutions.com>
---
 modules/github-foundations/azure-oidc-variables.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/github-foundations/azure-oidc-variables.tf b/modules/github-foundations/azure-oidc-variables.tf
index 7b00c2a..7592b3a 100644
--- a/modules/github-foundations/azure-oidc-variables.tf
+++ b/modules/github-foundations/azure-oidc-variables.tf
@@ -66,8 +66,8 @@ resource "github_actions_organization_variable" "container_name" {
   count = var.oidc_configuration.azure != null ? 1 : 0
 
   variable_name     = coalesce(var.oidc_configuration.azure.container_name_variable_name, "AZURE_CONTAINER_NAME")
-  value = var.oidc_configuration.azure.container_name
-  visibility      = "selected"
+  value             = var.oidc_configuration.azure.container_name
+  visibility        = "selected"
   selected_repository_ids = [
     github_repository.bootstrap_repo.repo_id,
     github_repository.organizations_repo.repo_id

From 3e973afddb9b4593544c9493ee6e43f8ac09679f Mon Sep 17 00:00:00 2001
From: Tyler Mizuyabu <tylermizuyabu@gmail.com>
Date: Fri, 31 May 2024 09:15:47 -0400
Subject: [PATCH 36/37] update input description and set defaults for sa tier
 and redundancy variables

---
 modules/github-azure-oidc/variables.tf | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/modules/github-azure-oidc/variables.tf b/modules/github-azure-oidc/variables.tf
index 1cd0f5a..73434c5 100644
--- a/modules/github-azure-oidc/variables.tf
+++ b/modules/github-azure-oidc/variables.tf
@@ -1,6 +1,6 @@
 # Resource Group Variables
 variable "rg_create" {
-  description = "Create resource group. When set to false, uses id to reference an existing resource group."
+  description = "Create the resource group. When set to false it uses the `rg_name` input to reference an existing resource group. Defaults to true."
   type        = bool
   default     = true
 }
@@ -23,12 +23,14 @@ variable "sa_name" {
 
 variable "sa_tier" {
   type        = string
-  description = "The tier of the storage account for github foundations. Valid options are Standard and Premium."
+  description = "The tier of the storage account for github foundations. Valid options are Standard and Premium. Defaults to Standard."
+  default = "Standard"
 }
 
 variable "sa_replication_type" {
   type        = string
-  description = "The replication type of the storage account for github foundations. Valid options are LRS, GRS, RAGRS, ZRS, GZRS, and RA_GZRS."
+  description = "The replication type of the storage account for github foundations. Valid options are LRS, GRS, RAGRS, ZRS, GZRS, and RA_GZRS. Defaults to GRS."
+  default = "GRS"
 }
 
 variable "tf_state_container" {

From 0c13d92a27f981e7a93ed7fe4020575c136cda49 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Fri, 31 May 2024 13:16:14 +0000
Subject: [PATCH 37/37] terraform-docs: automated action

---
 modules/github-azure-oidc/README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/github-azure-oidc/README.md b/modules/github-azure-oidc/README.md
index ec58921..7774967 100644
--- a/modules/github-azure-oidc/README.md
+++ b/modules/github-azure-oidc/README.md
@@ -46,12 +46,12 @@ No modules.
 | <a name="input_github_foundations_organization_name"></a> [github\_foundations\_organization\_name](#input\_github\_foundations\_organization\_name) | The name of the organization that the github foundation repos will be under. | `string` | n/a | yes |
 | <a name="input_kv_name"></a> [kv\_name](#input\_kv\_name) | The name of the key vault to use for github foundation secrets. If storing secrets to authenticate against github in a different way then this does not need to be set. (Optional) | `string` | `""` | no |
 | <a name="input_kv_resource_group"></a> [kv\_resource\_group](#input\_kv\_resource\_group) | The name of the resource group that the key vault is in. If empty it will default to the github foundations resource group. | `string` | n/a | yes |
-| <a name="input_rg_create"></a> [rg\_create](#input\_rg\_create) | Create resource group. When set to false, uses id to reference an existing resource group. | `bool` | `true` | no |
+| <a name="input_rg_create"></a> [rg\_create](#input\_rg\_create) | Create the resource group. When set to false it uses the `rg_name` input to reference an existing resource group. Defaults to true. | `bool` | `true` | no |
 | <a name="input_rg_location"></a> [rg\_location](#input\_rg\_location) | The location of the resource group to create the github foundation azure resources in. | `string` | n/a | yes |
 | <a name="input_rg_name"></a> [rg\_name](#input\_rg\_name) | The name of the resource group to create the github foundation azure resources in. | `string` | n/a | yes |
 | <a name="input_sa_name"></a> [sa\_name](#input\_sa\_name) | The name of the storage account for github foundations. | `string` | n/a | yes |
-| <a name="input_sa_replication_type"></a> [sa\_replication\_type](#input\_sa\_replication\_type) | The replication type of the storage account for github foundations. Valid options are LRS, GRS, RAGRS, ZRS, GZRS, and RA\_GZRS. | `string` | n/a | yes |
-| <a name="input_sa_tier"></a> [sa\_tier](#input\_sa\_tier) | The tier of the storage account for github foundations. Valid options are Standard and Premium. | `string` | n/a | yes |
+| <a name="input_sa_replication_type"></a> [sa\_replication\_type](#input\_sa\_replication\_type) | The replication type of the storage account for github foundations. Valid options are LRS, GRS, RAGRS, ZRS, GZRS, and RA\_GZRS. Defaults to GRS. | `string` | `"GRS"` | no |
+| <a name="input_sa_tier"></a> [sa\_tier](#input\_sa\_tier) | The tier of the storage account for github foundations. Valid options are Standard and Premium. Defaults to Standard. | `string` | `"Standard"` | no |
 | <a name="input_tf_state_container"></a> [tf\_state\_container](#input\_tf\_state\_container) | The name of the container to store the terraform state file(s) in. | `string` | `"tfstate"` | no |
 | <a name="input_tf_state_container_anonymous_access_level"></a> [tf\_state\_container\_anonymous\_access\_level](#input\_tf\_state\_container\_anonymous\_access\_level) | The anonymous access level of the container to store the terraform state file(s) in. | `string` | `"private"` | no |
 | <a name="input_tf_state_container_default_encryption_scope"></a> [tf\_state\_container\_default\_encryption\_scope](#input\_tf\_state\_container\_default\_encryption\_scope) | The default encryption scope of the container to store the terraform state file(s) in. | <pre>object({<br>    name             = string<br>    source           = string<br>    key_vault_key_id = optional(string)<br>  })</pre> | <pre>{<br>  "name": "",<br>  "source": "",<br>  "storage_account_id": ""<br>}</pre> | no |