Skip to content

terraform-aws-signing-kms

A small, focused OpenTofu / Terraform module that provisions an AWS KMS asymmetric signing key plus an IAM role assumable from an external OIDC IDP (default: GitLab.com). Built for release-binary signing chains where:

  • The private key never leaves AWS KMS.
  • No human and no long-lived credential can sign — only the CI job whose OIDC sub claim matches a caller-supplied pattern.
  • The apply role that manages the infrastructure cannot mint signatures, even on a full compromise of the apply runner.

Sibling to terraform-aws-bootstrap (state backend + OIDC IDP) and terraform-aws-security-baseline (account hardening + operator role). This module composes after both.

Start here

  • phpboyscout/infra — the first user of this module: provisions the gtb-release-signing-v1 key for phpboyscout/go-tool-base's Phase 2 signed-update pipeline.
  • go-tool-base — the consuming tool, whose Phase 2 signing prep document describes the wider trust model the AWS half implements.