Skip to content

feat: add sops-secrets-operator KMS identity#9

Merged
xnoto merged 1 commit into
mainfrom
feat/sops-secrets-operator-kms-identity
Jun 19, 2026
Merged

feat: add sops-secrets-operator KMS identity#9
xnoto merged 1 commit into
mainfrom
feat/sops-secrets-operator-kms-identity

Conversation

@xnoto

@xnoto xnoto commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add a dedicated IAM user for the k3s sops-secrets-operator
  • grant least-privilege KMS decrypt/describe access to the existing SOPS KMS key
  • output the operator access key as a sensitive value for later KSOPS-managed cluster secret wiring
  • regenerate terraform-docs README with the tfroot-runner version

Validation

  • tofu fmt -recursive
  • tofu init -backend=false -reconfigure -upgrade -input=false -no-color
  • tofu validate -no-color
  • pre-commit run --all-files --config /home/user/git/makeitworkcloud/images/tfroot-runner/pre-commit-config.yaml

Caveats

  • No live tofu plan/apply was run locally; PR CI should produce the live plan.
  • The sensitive access key must be copied into a SOPS-encrypted Kubernetes Secret before the operator can decrypt KMS-backed SopsSecret resources.

@github-actions

github-actions Bot commented Jun 19, 2026

Copy link
Copy Markdown

OpenTofu Plan

OpenTofu will perform the following actions:

  # aws_iam_access_key.sops_secrets_operator will be created
  + resource "aws_iam_access_key" "sops_secrets_operator" {
      + create_date                    = (known after apply)
      + encrypted_secret               = (known after apply)
      + encrypted_ses_smtp_password_v4 = (known after apply)
      + id                             = (known after apply)
      + key_fingerprint                = (known after apply)
      + secret                         = (sensitive value)
      + ses_smtp_password_v4           = (sensitive value)
      + status                         = "Active"
      + user                           = "sops-secrets-operator"
    }

  # aws_iam_user.sops_secrets_operator will be created
  + resource "aws_iam_user" "sops_secrets_operator" {
      + arn           = (known after apply)
      + force_destroy = false
      + id            = (known after apply)
      + name          = "sops-secrets-operator"
      + path          = "/"
      + tags          = {
          + "ManagedBy" = "Terraform"
          + "Purpose"   = "sops-secrets-operator"
        }
      + tags_all      = {
          + "ManagedBy" = "Terraform"
          + "Purpose"   = "sops-secrets-operator"
        }
      + unique_id     = (known after apply)
    }

  # aws_iam_user_policy.sops_secrets_operator_kms will be created
  + resource "aws_iam_user_policy" "sops_secrets_operator_kms" {
      + id          = (known after apply)
      + name        = "sops-kms-decrypt"
      + name_prefix = (known after apply)
      + policy      = jsonencode(
            {
              + Statement = [
                  + {
                      + Action   = [
                          + "kms:Decrypt",
                          + "kms:DescribeKey",
                        ]
                      + Effect   = "Allow"
                      + Resource = "arn:aws:kms:us-west-2:332355796717:key/0a45c0f6-71dc-4d54-ab33-9df4de1a9e91"
                    },
                ]
              + Version   = "2012-10-17"
            }
        )
      + user        = "sops-secrets-operator"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + sops_secrets_operator_access_key   = (sensitive value)
  + sops_secrets_operator_iam_user_arn = (known after apply)

@xnoto xnoto merged commit 3b21a49 into main Jun 19, 2026
3 checks passed
@xnoto xnoto deleted the feat/sops-secrets-operator-kms-identity branch June 19, 2026 05:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xnoto