Skip to content

chore: add SOPS KMS recipient and GitHub OIDC role #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
xnoto merged 2 commits into from
Jun 19, 2026
Merged

chore: add SOPS KMS recipient and GitHub OIDC role #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
de42a2e
chore: add sops kms recipient
xnoto Jun 19, 2026
e7e3ec5
ci: allow github oidc for sops kms
xnoto Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/opentofu.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ on:

permissions:
contents: read
id-token: write
pull-requests: write

jobs:
Expand Down
3 changes: 2 additions & 1 deletion .sops.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
creation_rules:
- age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
- kms: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91
age: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,9 @@ No modules.
| Name | Type |
| ---- | ---- |
| [aws_iam_access_key.admin_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_openid_connect_provider.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
| [aws_iam_role.github_actions_sops_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.github_actions_sops_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_iam_user.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user_policy_attachment.admin_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_kms_alias.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
Expand All @@ -45,6 +48,7 @@ No inputs.
| Name | Description |
| ---- | ----------- |
| <a name="output_admin_access_keys"></a> [admin\_access\_keys](#output\_admin\_access\_keys) | Admin IAM user access keys |
| <a name="output_github_actions_sops_kms_role_arn"></a> [github\_actions\_sops\_kms\_role\_arn](#output\_github\_actions\_sops\_kms\_role\_arn) | IAM role ARN for GitHub Actions SOPS KMS access |
| <a name="output_sops_kms_key_arn"></a> [sops\_kms\_key\_arn](#output\_sops\_kms\_key\_arn) | KMS key ARN for future SOPS AWS KMS recipients |
| <a name="output_web_bucket_endpoints"></a> [web\_bucket\_endpoints](#output\_web\_bucket\_endpoints) | Website endpoints for public web S3 buckets |
<!-- END_TF_DOCS -->
71 changes: 71 additions & 0 deletions aws-github-oidc.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
resource "aws_iam_openid_connect_provider" "github_actions" {
url = "https://token.actions.githubusercontent.com"

client_id_list = [
"sts.amazonaws.com"
]

thumbprint_list = [
"6938fd4d98bab03faadb97b34396831e3780aea1"
]

tags = {
ManagedBy = "Terraform"
}
}

resource "aws_iam_role" "github_actions_sops_kms" {
name = "github-actions-sops-kms"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
Federated = aws_iam_openid_connect_provider.github_actions.arn
}
Action = "sts:AssumeRoleWithWebIdentity"
Condition = {
StringEquals = {
"token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
}
StringLike = {
"token.actions.githubusercontent.com:sub" = [
"repo:makeitworkcloud/tfroot-aws:*",
"repo:makeitworkcloud/tfroot-cloudflare:*",
"repo:makeitworkcloud/tfroot-github:*",
"repo:makeitworkcloud/tfroot-libvirt:*"
]
}
}
}
]
})

tags = {
ManagedBy = "Terraform"
}
}

resource "aws_iam_role_policy" "github_actions_sops_kms" {
name = "sops-kms"
role = aws_iam_role.github_actions_sops_kms.id

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*",
"kms:ReEncrypt*"
]
Resource = aws_kms_key.sops.arn
}
]
})
}
5 changes: 5 additions & 0 deletions outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,8 @@ output "sops_kms_key_arn" {
description = "KMS key ARN for future SOPS AWS KMS recipients"
value = aws_kms_key.sops.arn
}

output "github_actions_sops_kms_role_arn" {
description = "IAM role ARN for GitHub Actions SOPS KMS access"
value = aws_iam_role.github_actions_sops_kms.arn
}
15 changes: 10 additions & 5 deletions secrets/secrets.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,20 @@ s3_region: ENC[AES256_GCM,data:eOyGm9ay1WsF,iv:wDUtASNnplZ76JJh54xlKKcXNKAtosepQ
s3_access_key: ENC[AES256_GCM,data:wQL1zGnkAtWM1EWgooXMMq5dRHI=,iv:wmRjCt28jloov7zKNs4TaZ9GeKhO6/nqPqY1sxFmaQ4=,tag:ZDIeBorMgwkVrdv80SYiGw==,type:str]
s3_secret_key: ENC[AES256_GCM,data:0EcLqSBTSCQ83LJ1RIuPjv7jzBm4KDeJVyUnGFVzxsCSCo1d+no7lQ==,iv:TuG8ATqDozZ5TsuBmHPNQC7pg1GXfrHgWxDIpjbFsWQ=,tag:46XhMpFqfNoPkteVcFZDeQ==,type:str]
sops:
kms:
- arn: arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91
created_at: "2026-06-19T03:45:00Z"
enc: AQICAHj1IggLFhM4nJnKEvmbEpk5E9RxZZoxpZYUW0taoyrz1AGxCPeJfC+xwLXrjLnKdN4HAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMo4N0BsmO7344VxgjAgEQgDuroFMxzwYxFsG1vHaITeOI1tFQ1iC2KC9RZRe/Mu3rPA3u0A25tpqYXtpi7CBcUPgCMfg4gsWfY68pDQ==
aws_profile: ""
age:
- recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqa1V4WGpuWGVlY2xMcVk5
QlJFeHk3ZjdrcVpnRDFRSmlRQ2FTZnE4WTFRCjQ5UmRONDV3a2xTc3Mya0wvekN6
RmJrQ09nZzk4VkZxRGlremcrUWU1Z2MKLS0tIHpFZFVpV3lpOUJNSDFwdDRpazJK
d2pVcDh3cDNqY1gzSVR5Z2NXcld1Qm8KRdv8vKhMBi1R8fGIphdmY4pfHV1sAqSb
nAXWA6Ut5/KAPIluSnBtWFkcakulcXYT01XorziztVS0X4nJDzEvMg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMZ0xJeTIwSnZ4UzlKSDQ5
M1VQSjJaOGZ1aFNUN2l5Y1l4L1dnbUtGUGhRCnhsWi9pV21WdGNNVERaQXFaVzR6
TzhUWHllUUpQeTRaU2R3eU92S0hDVmcKLS0tIHhZeFZDRHdlU3Z2WERtdHJXM1dJ
MjBPNmJWWWpxY3pRd25IWldvUy9wS2sKHovTPwKIU1gsamMMlGxSvCiO6EwJ6pNO
UZF83FI1e+oEenynCmziC3BFaA0tpcYj12pEuiZAAroUPurEmJ+D0Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-27T23:45:19Z"
mac: ENC[AES256_GCM,data:AcSRYq32GptizEXMujOIh4cC29BVNQj4lad85BWfHl6TGQA7oWN5A32xoXqCWqpWEuVDpndUAPZXvMRK8n53djXEXb/A6G9R8vEzaKOUB9zijItanUXkVK63d7KE9X8JrgtV7KQcWZx01qQitMzezMTkouvkfYpodPr1hkV2PIk=,iv:o5Q3VQG55jeCVHTNAAV1HgN91SU6jbx+IFZVGx2vN7o=,tag:GX/v69ggBNUpnLGFPBINdg==,type:str]
Expand Down
Loading