Skip to content

chore: add SOPS KMS recipient and GitHub OIDC role#6

Merged
xnoto merged 2 commits into
mainfrom
chore/add-sops-kms-recipient
Jun 19, 2026
Merged

chore: add SOPS KMS recipient and GitHub OIDC role#6
xnoto merged 2 commits into
mainfrom
chore/add-sops-kms-recipient

Conversation

@xnoto

@xnoto xnoto commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • add the Make IT Work Cloud SOPS AWS KMS key as an additional SOPS recipient
  • re-key secrets/secrets.yaml while keeping the existing age recipient for compatibility
  • create the GitHub OIDC provider and github-actions-sops-kms IAM role for CI SOPS KMS access
  • grant the caller workflow id-token: write

Dependency / rollout

  • Merge and apply this PR before merging makeitworkcloud/shared-workflows#7, because the reusable workflow assumes the role created here.

Validation

  • AWS_PROFILE=makeitwork sops decrypt --output /dev/null secrets/secrets.yaml
  • verified SOPS metadata includes both age and KMS recipients
  • tofu init -backend=false -input=false -no-color
  • tofu validate -no-color
  • PCT_TFPATH=$(command -v tofu) pre-commit run --all-files

@xnoto xnoto force-pushed the chore/add-sops-kms-recipient branch from 6357211 to de42a2e Compare June 19, 2026 03:57
@xnoto xnoto changed the title chore: add SOPS KMS recipient chore: add SOPS KMS recipient and GitHub OIDC role Jun 19, 2026
@github-actions

github-actions Bot commented Jun 19, 2026

Copy link
Copy Markdown

OpenTofu Plan

OpenTofu will perform the following actions:

  # aws_iam_openid_connect_provider.github_actions will be created
  + resource "aws_iam_openid_connect_provider" "github_actions" {
      + arn             = (known after apply)
      + client_id_list  = [
          + "sts.amazonaws.com",
        ]
      + id              = (known after apply)
      + tags            = {
          + "ManagedBy" = "Terraform"
        }
      + tags_all        = {
          + "ManagedBy" = "Terraform"
        }
      + thumbprint_list = [
          + "6938fd4d98bab03faadb97b34396831e3780aea1",
        ]
      + url             = "https://token.actions.githubusercontent.com"
    }

  # aws_iam_role.github_actions_sops_kms will be created
  + resource "aws_iam_role" "github_actions_sops_kms" {
      + arn                   = (known after apply)
      + assume_role_policy    = (known after apply)
      + create_date           = (known after apply)
      + force_detach_policies = false
      + id                    = (known after apply)
      + managed_policy_arns   = (known after apply)
      + max_session_duration  = 3600
      + name                  = "github-actions-sops-kms"
      + name_prefix           = (known after apply)
      + path                  = "/"
      + tags                  = {
          + "ManagedBy" = "Terraform"
        }
      + tags_all              = {
          + "ManagedBy" = "Terraform"
        }
      + unique_id             = (known after apply)

      + inline_policy (known after apply)
    }

  # aws_iam_role_policy.github_actions_sops_kms will be created
  + resource "aws_iam_role_policy" "github_actions_sops_kms" {
      + id          = (known after apply)
      + name        = "sops-kms"
      + name_prefix = (known after apply)
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "kms:Decrypt",
                          + "kms:DescribeKey",
                          + "kms:Encrypt",
                          + "kms:GenerateDataKey*",
                          + "kms:ReEncrypt*",
                        ]
                      + Effect   = "Allow"
                      + Resource = "arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + role        = (known after apply)
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + github_actions_sops_kms_role_arn = (known after apply)

@xnoto xnoto merged commit 74fb16a into main Jun 19, 2026
3 checks passed
@xnoto xnoto deleted the chore/add-sops-kms-recipient branch June 19, 2026 04:06
xnoto added a commit to makeitworkcloud/shared-workflows that referenced this pull request Jun 19, 2026
@xnoto
ci: assume SOPS KMS role with GitHub OIDC (#7)
1ff2734 
## Summary
- configure the reusable OpenTofu workflow to assume the SOPS KMS IAM
role via GitHub OIDC
- add `id-token: write` permission to the reusable workflow
- make `SOPS_AGE_KEY` optional while age remains as a fallback recipient
- document the OIDC role inputs and caller requirements

## Dependency
- Requires `makeitworkcloud/tfroot-aws#6` to be merged/applied first so
`arn:aws:iam::332355796717:role/github-actions-sops-kms` exists.

## Validation
- `pre-commit run --all-files`
xnoto added a commit to makeitworkcloud/tfroot-github that referenced this pull request Jun 19, 2026
@xnoto
chore: use KMS-only SOPS encryption and stop age key publishing (#10)
dee8d07 
## Summary
- add the Make IT Work Cloud SOPS AWS KMS key as the SOPS recipient
- remove the age recipient from `.sops.yaml`
- re-key `secrets/secrets.yaml` so SOPS metadata is KMS-only
- grant the caller workflow `id-token: write` for the shared workflow's
GitHub OIDC role assumption
- stop publishing `SOPS_AGE_KEY` as a GitHub Actions secret to tfroot
repositories
- remove the encrypted `sops_age_key` value from this repo's SOPS
secrets file

## Dependency / rollout
- Requires `makeitworkcloud/tfroot-aws#6` and
`makeitworkcloud/shared-workflows#7`, both now merged/applied.
- Applying this PR will remove managed `SOPS_AGE_KEY` GitHub Actions
secrets from the tfroot repositories.

## Validation
- `AWS_PROFILE=makeitwork sops decrypt --output /dev/null
secrets/secrets.yaml`
- verified SOPS metadata has `kms=1` and `age=0`
- verified no remaining `SOPS_AGE_KEY` / `sops_age_key` references
- `PCT_TFPATH=$(command -v tofu) pre-commit run --all-files`
xnoto added a commit to makeitworkcloud/tfroot-libvirt that referenced this pull request Jun 19, 2026
@xnoto
chore: use KMS-only SOPS encryption (#7)
641c24b 
## Summary
- add the Make IT Work Cloud SOPS AWS KMS key as the SOPS recipient
- remove the age recipient from `.sops.yaml`
- re-key `secrets/secrets.yaml` so SOPS metadata is KMS-only
- grant the caller workflow `id-token: write` for the shared workflow's
GitHub OIDC role assumption

## Dependency / rollout
- Requires `makeitworkcloud/tfroot-aws#6` and
`makeitworkcloud/shared-workflows#7`, both now merged/applied.

## Validation
- `AWS_PROFILE=makeitwork sops decrypt --output /dev/null
secrets/secrets.yaml`
- verified SOPS metadata has `kms=1` and `age=0`
- `PCT_TFPATH=$(command -v tofu) pre-commit run --all-files`
xnoto added a commit to makeitworkcloud/tfroot-cloudflare that referenced this pull request Jun 19, 2026
@xnoto
chore: use KMS-only SOPS encryption (#14)
11301ae 
## Summary
- add the Make IT Work Cloud SOPS AWS KMS key as the SOPS recipient
- remove the age recipient from `.sops.yaml`
- re-key `secrets/secrets.yaml` so SOPS metadata is KMS-only
- grant the caller workflow `id-token: write` for the shared workflow's
GitHub OIDC role assumption
- stop passing `SOPS_AGE_KEY` to the shared workflow

## Dependency / rollout
- Requires `makeitworkcloud/tfroot-aws#6` and
`makeitworkcloud/shared-workflows#7`, both now merged/applied.
- `makeitworkcloud/shared-workflows#8` removes the age secret from the
reusable workflow itself.

## Validation
- `AWS_PROFILE=makeitwork sops decrypt --output /dev/null
secrets/secrets.yaml`
- verified SOPS metadata has `kms=1` and `age=0`
- `PCT_TFPATH=$(command -v tofu) pre-commit run --all-files`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xnoto