I think the use case for setting the Issue to something besides the default is when you're using your own instance of Github. Also, it would have been useful to show the part where you gave the registered App the permissions it needed to do what it needed to do. For some reason I forgot that you didn't show it and was trying to figure out why it wasn't working. You need the role set in order for it to see or do what it needs to do first. In my case this was not for applying terraform but at least showing that would have given me a bit more context for what was needed here.
Do you have a TT video that does exactly this but uses Azure DevOps Pipelines and configuration with Azure DevOps Service Connection. Essentially a clone of this but not using GHA ? Or are the changes to take this and change to ADO 90% the same plus the differences?
Azure AD (Entra ID) doesn't support wildcards, so you need to add a federated credential for each repo, branch, and PR. I don't love that, but you can use Terraform to do it for you!
The main point is to remove long lived passwords/credentials. There's good documentation from Github on how to set it up: docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
