aws iam create-open-id-connect-provider ‐‐url "https://token.actions.githubusercontent.com" ‐‐client-id-list 'sts.amazonaws.com'
Check out the trust policy for the role and use the following command to create the role:
aws iam create-role --role-name github-actions-role --assume-role-policy-document <./path/to/trustPolicyGitHubOIDC.json>
You can follow Issue 120 from the original org-formation-cli repo to setup a set of minimum required permissions.
You can find everything you need in the file ghas-workflow.yml, you will just need to edit it with your information and copy it into .github/workflows/.
Edit your organization.yml and then just commit and push your changes. You can check out my organization.yml, it has 3 Organizational Units (Prod, Test and Dev) and three accounts associated to them. You can also generate a default template using org-formation init --region <REGION> and personalize it.