From 22fe35b7eb65938b6e31eccd9219f1ae7cc010d4 Mon Sep 17 00:00:00 2001
From: xnoto <steven@makeitwork.cloud>
Date: Thu, 18 Jun 2026 22:01:25 -0600
Subject: [PATCH] ci: assume sops kms role with oidc

---
 .github/workflows/opentofu.yml | 29 ++++++++++++++++++++++++++++-
 AGENTS.md                      | 11 ++++++++---
 README.md                      |  9 ++++++---
 3 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/opentofu.yml b/.github/workflows/opentofu.yml
index 9171d1c..4328160 100644
--- a/.github/workflows/opentofu.yml
+++ b/.github/workflows/opentofu.yml
@@ -15,9 +15,17 @@ on:
         description: Whether to setup SSH keys
         type: boolean
         default: false
+      aws-region:
+        description: AWS region for SOPS KMS access
+        type: string
+        default: us-west-2
+      aws-role-to-assume:
+        description: AWS IAM role to assume for SOPS KMS access
+        type: string
+        default: arn:aws:iam::332355796717:role/github-actions-sops-kms
     secrets:
       SOPS_AGE_KEY:
-        required: true
+        required: false
       SSH_PRIVATE_KEY:
         required: false
       SSH_KNOWN_HOSTS:
@@ -25,6 +33,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
   pull-requests: write
 
 jobs:
@@ -38,6 +47,12 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: Configure AWS credentials for SOPS KMS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ inputs.aws-role-to-assume }}
+          aws-region: ${{ inputs.aws-region }}
+
       - name: Install SSH key
         if: ${{ inputs.setup-ssh }}
         uses: shimataro/ssh-key-action@v2
@@ -66,6 +81,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Configure AWS credentials for SOPS KMS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ inputs.aws-role-to-assume }}
+          aws-region: ${{ inputs.aws-region }}
+
       - name: Install SSH key
         if: ${{ inputs.setup-ssh }}
         uses: shimataro/ssh-key-action@v2
@@ -115,6 +136,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Configure AWS credentials for SOPS KMS
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ inputs.aws-role-to-assume }}
+          aws-region: ${{ inputs.aws-region }}
+
       - name: Install SSH key
         if: ${{ inputs.setup-ssh }}
         uses: shimataro/ssh-key-action@v2
diff --git a/AGENTS.md b/AGENTS.md
index f7fbbf0..d72ca41 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -15,9 +15,10 @@ Agents are authorized to push directly to `main` in this repository.
 Reusable workflow for OpenTofu/Terraform root module repositories (`tfroot-*`). It:
 
 1. Fetches the canonical pre-commit config from `makeitworkcloud/images`
-2. Runs pre-commit on the `arc-tf` runner pod (which is itself the `tfroot-runner` image — no nested `container:` block)
-3. Posts plan output as PR comments
-4. Applies on merge to main
+2. Assumes the SOPS KMS role through GitHub OIDC/WIF
+3. Runs pre-commit on the `arc-tf` runner pod (which is itself the `tfroot-runner` image — no nested `container:` block)
+4. Posts plan output as PR comments
+5. Applies on merge to main
 
 **Pre-commit configuration is centralized** in `makeitworkcloud/images/tfroot-runner/pre-commit-config.yaml`. Do not add `.pre-commit-config.yaml` to individual tfroot repos.
 
@@ -28,6 +29,10 @@ Reusable workflow for OpenTofu/Terraform root module repositories (`tfroot-*`).
 | `runs-on` | `arc-tf` | Runner label — the in-cluster ARC scale set whose pods run the tfroot-runner image |
 | `setup-ssh` | `false` | Provision an SSH key + known_hosts for libvirt-style root modules |
 | `environment` | `production` | Environment for the apply job |
+| `aws-region` | `us-west-2` | AWS region for SOPS KMS access |
+| `aws-role-to-assume` | `arn:aws:iam::332355796717:role/github-actions-sops-kms` | IAM role assumed via GitHub OIDC for SOPS KMS decrypt/encrypt |
+
+Caller workflows must grant `id-token: write` permissions for OIDC. `SOPS_AGE_KEY` is optional while SOPS files retain age recipients, but the preferred path is AWS KMS via OIDC.
 
 There is no `container` input. The `arc-tf` runner pod IS the image, so adding `container:` on top would nest a container inside a container — don't do it.
 
diff --git a/README.md b/README.md
index 2a3ad26..292ee95 100644
--- a/README.md
+++ b/README.md
@@ -19,6 +19,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
   pull-requests: write
 
 jobs:
@@ -42,6 +43,8 @@ See [images](https://github.com/makeitworkcloud/images) for container source and
 
 ## Repository Setup
 
-1. Add `SOPS_AGE_KEY` secret (via tfroot-github or manually)
-2. Create caller workflow in `.github/workflows/`
-3. Ensure repository has required files (e.g., `Makefile` with expected targets)
+1. Grant `id-token: write` in the caller workflow so GitHub OIDC can assume the SOPS KMS role.
+2. Optionally add `SOPS_AGE_KEY` secret as an age fallback while SOPS files retain age recipients.
+3. Ensure the default `aws-role-to-assume` exists (`arn:aws:iam::332355796717:role/github-actions-sops-kms`) or pass another role ARN.
+4. Create caller workflow in `.github/workflows/`.
+5. Ensure repository has required files (e.g., `Makefile` with expected targets).