From fe2e363b424faa2ee30ffb963066bd345dc5dbbd Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Thu, 18 Jun 2026 23:49:52 -0600
Subject: [PATCH] feat: add sops-secrets-operator KMS user

---
 README.md  |  5 +++++
 aws-iam.tf | 33 +++++++++++++++++++++++++++++++++
 outputs.tf | 14 ++++++++++++++
 3 files changed, 52 insertions(+)

diff --git a/README.md b/README.md
index 00ae4f7..f04cf43 100644
--- a/README.md
+++ b/README.md
@@ -22,10 +22,13 @@ No modules.
 | Name | Type |
 | ---- | ---- |
 | [aws_iam_access_key.admin_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
+| [aws_iam_access_key.sops_secrets_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
 | [aws_iam_openid_connect_provider.github_actions](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_openid_connect_provider) | resource |
 | [aws_iam_role.github_actions_sops_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.github_actions_sops_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_iam_user.admin](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [aws_iam_user.sops_secrets_operator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
+| [aws_iam_user_policy.sops_secrets_operator_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy) | resource |
 | [aws_iam_user_policy_attachment.admin_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
 | [aws_kms_alias.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.sops](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
@@ -50,5 +53,7 @@ No inputs.
 | <a name="output_admin_access_keys"></a> [admin\_access\_keys](#output\_admin\_access\_keys) | Admin IAM user access keys |
 | <a name="output_github_actions_sops_kms_role_arn"></a> [github\_actions\_sops\_kms\_role\_arn](#output\_github\_actions\_sops\_kms\_role\_arn) | IAM role ARN for GitHub Actions SOPS KMS access |
 | <a name="output_sops_kms_key_arn"></a> [sops\_kms\_key\_arn](#output\_sops\_kms\_key\_arn) | KMS key ARN for future SOPS AWS KMS recipients |
+| <a name="output_sops_secrets_operator_access_key"></a> [sops\_secrets\_operator\_access\_key](#output\_sops\_secrets\_operator\_access\_key) | Access key for the k3s sops-secrets-operator to decrypt SOPS AWS KMS secrets |
+| <a name="output_sops_secrets_operator_iam_user_arn"></a> [sops\_secrets\_operator\_iam\_user\_arn](#output\_sops\_secrets\_operator\_iam\_user\_arn) | IAM user ARN for the k3s sops-secrets-operator |
 | <a name="output_web_bucket_endpoints"></a> [web\_bucket\_endpoints](#output\_web\_bucket\_endpoints) | Website endpoints for public web S3 buckets |
 <!-- END_TF_DOCS -->
diff --git a/aws-iam.tf b/aws-iam.tf
index 1b5f6a7..c6962cc 100644
--- a/aws-iam.tf
+++ b/aws-iam.tf
@@ -17,3 +17,36 @@ resource "aws_iam_access_key" "admin_key" {
   for_each = local.admin_users
   user     = aws_iam_user.admin[each.key].name
 }
+
+resource "aws_iam_user" "sops_secrets_operator" {
+  name          = "sops-secrets-operator"
+  force_destroy = false
+
+  tags = {
+    ManagedBy = "Terraform"
+    Purpose   = "sops-secrets-operator"
+  }
+}
+
+resource "aws_iam_user_policy" "sops_secrets_operator_kms" {
+  name = "sops-kms-decrypt"
+  user = aws_iam_user.sops_secrets_operator.name
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:Decrypt",
+          "kms:DescribeKey"
+        ]
+        Resource = aws_kms_key.sops.arn
+      }
+    ]
+  })
+}
+
+resource "aws_iam_access_key" "sops_secrets_operator" {
+  user = aws_iam_user.sops_secrets_operator.name
+}
diff --git a/outputs.tf b/outputs.tf
index e0ab005..017f229 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -24,3 +24,17 @@ output "github_actions_sops_kms_role_arn" {
   description = "IAM role ARN for GitHub Actions SOPS KMS access"
   value       = aws_iam_role.github_actions_sops_kms.arn
 }
+
+output "sops_secrets_operator_access_key" {
+  description = "Access key for the k3s sops-secrets-operator to decrypt SOPS AWS KMS secrets"
+  value = {
+    access_key_id     = aws_iam_access_key.sops_secrets_operator.id
+    secret_access_key = aws_iam_access_key.sops_secrets_operator.secret
+  }
+  sensitive = true
+}
+
+output "sops_secrets_operator_iam_user_arn" {
+  description = "IAM user ARN for the k3s sops-secrets-operator"
+  value       = aws_iam_user.sops_secrets_operator.arn
+}