diff --git a/.github/workflows/iac-secrets.yml b/.github/workflows/iac-secrets.yml
new file mode 100644
index 00000000..f712f004
--- /dev/null
+++ b/.github/workflows/iac-secrets.yml
@@ -0,0 +1,166 @@
+name: 'Secrets GitHub Actions'
+on:
+ workflow_call:
+ inputs:
+ TELEPORT_PROXY_URL:
+ required: false
+ type: string
+ default: ''
+ description: Default Teleport URL
+ GCP_WIP:
+ required: false
+ type: string
+ default: ''
+ description: GCP Workload Identity Provider
+ PROJECT_ID:
+ required: false
+ type: string
+ default: ''
+ description: GCP Project ID
+ WORKING_DIR:
+ required: true
+ type: string
+ default: 'secrets'
+ description: Working directory
+ secrets:
+ TELEPORT_TOKEN:
+ required: false
+ description: Teleport Token name
+ VAULT_TOKEN:
+ required: false
+ description: A Vault token in case vault is required
+ PAT_GIT:
+ required: false
+ description: A PAT token to clone the repository
+
+jobs:
+ terragrunt:
+ name: 'Terraform Vault Secrets'
+ runs-on: ubuntu-latest
+
+ permissions: write-all
+ # defaults:
+ # run:
+ # shell: bash
+ # working-directory: secrets
+
+ steps:
+ - name: Install dependencies
+ run: |
+ sudo apt update
+ sudo apt install unzip git -yq
+
+ - name: cleanup old checkout
+ run: chmod +w -R ${GITHUB_WORKSPACE}; rm -rf ${GITHUB_WORKSPACE}/*;
+
+ - name: 'Checkout'
+ uses: actions/checkout@v4
+
+ - name: Checkout actions
+ uses: actions/checkout@v4
+ with:
+ repository: signalwire/actions-template
+ ref: main
+ path: actions
+
+ - id: 'auth'
+ name: 'Authenticate to Google Cloud'
+ uses: 'google-github-actions/auth@v2.1.4'
+ with:
+ workload_identity_provider: ${{ inputs.GCP_WIP }}
+ project_id: ${{ inputs.PROJECT_ID }}
+
+ - name: Sops Binary Installer
+ uses: mdgreenwald/mozilla-sops-action@v1.6.0
+ with:
+ version: 3.7.3
+
+ - name: Authenticate against Teleport to use Vault
+ id: teleportapp
+ uses: ./actions/.github/actions/teleport
+ env:
+ TOKEN: ${{ secrets.TELEPORT_TOKEN }}
+ PROXY_URL: ${{ inputs.TELEPORT_PROXY_URL }}
+ with:
+ TELEPORT_APP: vault
+
+ - name: Configure Vault
+ run: |
+ echo VAULT_ADDR=https://${{ inputs.TELEPORT_PROXY_URL }} >> $GITHUB_ENV
+ #echo VAULT_API_ADDR=https://${{ inputs.TELEPORT_PROXY_URL }} >> $GITHUB_ENV
+ echo VAULT_CLIENT_TIMEOUT=120s >> $GITHUB_ENV
+ cp ${{ steps.teleportapp.outputs.certificate-file }} ${{github.workspace}}/certificate-file
+ echo VAULT_CLIENT_CERT=${{github.workspace}}/certificate-file >> $GITHUB_ENV
+ cp ${{ steps.teleportapp.outputs.key-file }} ${{github.workspace}}/key-file
+ echo VAULT_CLIENT_KEY=${{github.workspace}}/key-file >> $GITHUB_ENV
+ echo VAULT_TOKEN=$VAULT_TOKEN >> $GITHUB_ENV
+ env:
+ VAULT_TOKEN: ${{ secrets.VAULT_TOKEN }}
+
+ - uses: opentofu/setup-opentofu@main
+
+ - name: Init
+ id: init
+ working-directory: ${{ inputs.WORKING_DIR }}
+ run: |
+ git config --global url."https://user:${{secrets.PAT_GIT}}@github.com".insteadOf "https://github.com"
+ tofu init
+
+ - name: Validate
+ id: validate
+ working-directory: ${{ inputs.WORKING_DIR }}
+ run: |
+ tofu validate
+
+ - name: Plan
+ id: plan
+ continue-on-error: true
+ working-directory: ${{ inputs.WORKING_DIR }}
+ run: |
+ tofu plan -no-color
+
+ - uses: actions/github-script@v6
+ if: github.event_name == 'pull_request'
+ env:
+ PLAN: "tofu\n${{ steps.plan.outputs.stdout }}"
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ script: |
+ const output = `#### OpenTofu Initialization ⚙️\`${{ steps.init.outcome }}\`
+ #### OpenTofu Validation 🤖\`${{ steps.validate.outcome }}\`
+ Validation Output
+
+ \`\`\`\n
+ ${{ steps.validate.outputs.stdout }}
+ \`\`\`
+
+ Show Plan
+
+ \`\`\`\n
+ ${process.env.PLAN}
+ \`\`\`
+
+