feat: Enhance IAM policy for GitHub OIDC module to allow comprehensive management of AWS Organizations resources

Author: Arnel Jan Sarmiento

modules/aws/github-oidc/main.tf

@@ -130,6 +130,35 @@ data "aws_iam_policy_document" "iam_and_terraform" {
     }
   }
 
+  # PowerUserAccess denies organizations:* — re-grant for managing
+  # AWS Organizations resources in the root workspace.
+  statement {
+    sid    = "OrganizationsAccess"
+    effect = "Allow"
+    actions = [
+      "organizations:DescribeOrganization",
+      "organizations:ListAccounts",
+      "organizations:DescribeAccount",
+      "organizations:ListRoots",
+      "organizations:ListAWSServiceAccessForOrganization",
+      "organizations:ListDelegatedAdministrators",
+      "organizations:EnableAWSServiceAccess",
+      "organizations:DisableAWSServiceAccess",
+      "organizations:ListPolicies",
+      "organizations:DescribePolicy",
+      "organizations:ListTargetsForPolicy",
+      "organizations:EnablePolicyType",
+      "organizations:DisablePolicyType",
+      "organizations:CreateAccount",
+      "organizations:DescribeCreateAccountStatus",
+      "organizations:CloseAccount",
+      "organizations:TagResource",
+      "organizations:UntagResource",
+      "organizations:ListTagsForResource",
+    ]
+    resources = ["*"]
+  }
+
   statement {
     sid    = "STSandKMS"
     effect = "Allow"