diff --git a/terraform/modules/spack_github/mirrors_iam.tf b/terraform/modules/spack_github/mirrors_iam.tf
new file mode 100644
index 000000000..5ef6f6f38
--- /dev/null
+++ b/terraform/modules/spack_github/mirrors_iam.tf
@@ -0,0 +1,48 @@
+locals {
+  github_domain = "token.actions.githubusercontent.com"
+
+  mirror_roles = {
+    "sts.amazonaws.com" = {
+      "role_name_suffix"     = "SpackSourceMirror${var.deployment_name == "prod" ? "" : "-${var.deployment_name}"}-${var.deployment_stage}",
+      "conditions" = [
+        "repo:spack/spack-packages:ref:refs/heads/develop",
+      ],
+    },
+  }
+}
+
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy_document" "github_oidc_assume_role" {
+  for_each = local.mirror_roles
+
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/${local.github_domain}"]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "${local.github_domain}:aud"
+      values   = [each.key]
+    }
+
+    condition {
+      test     = "StringEqual"
+      variable = "${local.github_domain}:sub"
+      values   = each.value.conditions
+    }
+  }
+}
+
+resource "aws_iam_role" "source_mirror_sync" {
+  for_each = data.aws_iam_policy_document.github_oidc_assume_role
+
+  name                 = "SourceMirrorSync${local.mirror_roles[each.key].role_name_suffix}"
+  assume_role_policy   = each.value.json
+  max_session_duration = 3600 * 6 # only allow a max of 6 hours for a session to be active
+}
diff --git a/terraform/modules/spack_github/variables.tf b/terraform/modules/spack_github/variables.tf
new file mode 100644
index 000000000..01d06f88a
--- /dev/null
+++ b/terraform/modules/spack_github/variables.tf
@@ -0,0 +1,11 @@
+variable "deployment_name" {
+  type = string
+}
+
+variable "deployment_stage" {
+  type = string
+}
+
+variable "region" {
+  type = string
+}
diff --git a/terraform/production/main.tf b/terraform/production/main.tf
index a057dd2c1..fd2e30e1d 100644
--- a/terraform/production/main.tf
+++ b/terraform/production/main.tf
@@ -26,3 +26,12 @@ module "spack_gitlab" {
 
   gitlab_token = var.gitlab_token
 }
+
+module "spack_github" {
+  source = "../modules/spack_github"
+
+  deployment_name  = "prod"
+  deployment_stage = "blue"
+
+  region = "us-east-1"
+}
diff --git a/terraform/production/versions.tf b/terraform/production/versions.tf
index fd43eca08..d6c57d53b 100644
--- a/terraform/production/versions.tf
+++ b/terraform/production/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = "~> 1.11.3"
+  required_version = "~> 1.11"
 
   required_providers {
     aws = {
diff --git a/terraform/staging/versions.tf b/terraform/staging/versions.tf
index d017269aa..99f64a1ef 100644
--- a/terraform/staging/versions.tf
+++ b/terraform/staging/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = "~> 1.11.3"
+  required_version = "~> 1.11"
 
   required_providers {
     aws = {