terraform-aws-signing-kms¶
A small, focused OpenTofu / Terraform module that provisions an AWS KMS asymmetric signing key plus an IAM role assumable from an external OIDC IDP (default: GitLab.com). Built for release-binary signing chains where:
- The private key never leaves AWS KMS.
- No human and no long-lived credential can sign — only the CI job
whose OIDC
subclaim matches a caller-supplied pattern. - The apply role that manages the infrastructure cannot mint signatures, even on a full compromise of the apply runner.
Sibling to
terraform-aws-bootstrap
(state backend + OIDC IDP) and
terraform-aws-security-baseline
(account hardening + operator role). This module composes after both.
Start here¶
- Quick start — one-call usage in the README.
- v0.1 design spec — scope decisions, the permission-class split, and rejected alternatives.
- Engineering standards — module conventions, the tag-propagation rule, naming, security defaults.
Related projects¶
phpboyscout/infra— the first user of this module: provisions thegtb-release-signing-v1key forphpboyscout/go-tool-base's Phase 2 signed-update pipeline.go-tool-base— the consuming tool, whosePhase 2 signing prepdocument describes the wider trust model the AWS half implements.