diff --git a/apps/k8s01/iot/oauth2.yaml b/apps/k8s01/iot/oauth2.yaml
index b7528f62c4c9aed17c1334ecc6705747dcc86528..c1ffc626001897520c26d8fe35503dc9a9944cbe 100644
--- a/apps/k8s01/iot/oauth2.yaml
+++ b/apps/k8s01/iot/oauth2.yaml
@@ -12,8 +12,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-02-22T23:29:44Z"
-    mac: ENC[AES256_GCM,data:pzIVwihxBPOMB6QefUHUNju+6SnH9D+eWbZu/oBElXPulJrlju2+uj+1P58hVCpXZvLJNljNJfZdT0CMZqMMVZ7T/4id30BQ+Mt3b+Ib3RqSVvvlBfv7NkJJGFjRfCSnnIX8jPvIu8ATr/KatGRFQhFnlWsXDsiEaLaCyeJ5AtQ=,iv:0nPbs8bLvzs2ud/WNcCzJyKb+WUThmsjGD7qwaG4YCg=,tag:99E4+sjuhO6lgxACjk+bLQ==,type:str]
+    lastmodified: "2023-09-11T07:18:11Z"
+    mac: ENC[AES256_GCM,data:kPRTYIh0XOLNquSkAuU6UXmZp5YrcR1YLE6i5zEjWJZ2lQ7/nFv3zoumy5lAVgaGFWZe+DkRmnmAJuX0YrPToVQqAMLxLJiL2ZtnqgsDgCVtz9qhhDzxlCiiEfJ3G5snqH/gqSn+3ToRA5WnirQ/9XLTNHGbVK4vgSNQZnYR7WI=,iv:jvnb0bJAfJ1Gnf9AePj/CQQci6jel5aeOU0zM8W0fh0=,tag:wrakrH1HzqhBESqM7xVxCQ==,type:str]
     pgp:
         - created_at: "2022-01-22T04:06:16Z"
           enc: |-
@@ -95,6 +95,7 @@ spec:
             whitelist-domain: ENC[AES256_GCM,data:jRPNQJFpx1df8iOADfb4LX/gK9tGnimE,iv:Fti2Z4gAP+AlCp4tiDxjrV/REX7S3neoZs2bMxtN8lM=,tag:YN3ZMpvMRmYdXv5Xr5P2Ag==,type:str]
             session-cookie-minimal: "true"
             silence-ping-logging: "true"
+            scope: openid email profile
         replicaCount: 2
         securityContext:
             enabled: true
@@ -140,8 +141,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-02-22T23:29:44Z"
-    mac: ENC[AES256_GCM,data:pzIVwihxBPOMB6QefUHUNju+6SnH9D+eWbZu/oBElXPulJrlju2+uj+1P58hVCpXZvLJNljNJfZdT0CMZqMMVZ7T/4id30BQ+Mt3b+Ib3RqSVvvlBfv7NkJJGFjRfCSnnIX8jPvIu8ATr/KatGRFQhFnlWsXDsiEaLaCyeJ5AtQ=,iv:0nPbs8bLvzs2ud/WNcCzJyKb+WUThmsjGD7qwaG4YCg=,tag:99E4+sjuhO6lgxACjk+bLQ==,type:str]
+    lastmodified: "2023-09-11T07:18:11Z"
+    mac: ENC[AES256_GCM,data:kPRTYIh0XOLNquSkAuU6UXmZp5YrcR1YLE6i5zEjWJZ2lQ7/nFv3zoumy5lAVgaGFWZe+DkRmnmAJuX0YrPToVQqAMLxLJiL2ZtnqgsDgCVtz9qhhDzxlCiiEfJ3G5snqH/gqSn+3ToRA5WnirQ/9XLTNHGbVK4vgSNQZnYR7WI=,iv:jvnb0bJAfJ1Gnf9AePj/CQQci6jel5aeOU0zM8W0fh0=,tag:wrakrH1HzqhBESqM7xVxCQ==,type:str]
     pgp:
         - created_at: "2022-01-22T04:06:16Z"
           enc: |-
@@ -207,8 +208,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-02-22T23:29:44Z"
-    mac: ENC[AES256_GCM,data:pzIVwihxBPOMB6QefUHUNju+6SnH9D+eWbZu/oBElXPulJrlju2+uj+1P58hVCpXZvLJNljNJfZdT0CMZqMMVZ7T/4id30BQ+Mt3b+Ib3RqSVvvlBfv7NkJJGFjRfCSnnIX8jPvIu8ATr/KatGRFQhFnlWsXDsiEaLaCyeJ5AtQ=,iv:0nPbs8bLvzs2ud/WNcCzJyKb+WUThmsjGD7qwaG4YCg=,tag:99E4+sjuhO6lgxACjk+bLQ==,type:str]
+    lastmodified: "2023-09-11T07:18:11Z"
+    mac: ENC[AES256_GCM,data:kPRTYIh0XOLNquSkAuU6UXmZp5YrcR1YLE6i5zEjWJZ2lQ7/nFv3zoumy5lAVgaGFWZe+DkRmnmAJuX0YrPToVQqAMLxLJiL2ZtnqgsDgCVtz9qhhDzxlCiiEfJ3G5snqH/gqSn+3ToRA5WnirQ/9XLTNHGbVK4vgSNQZnYR7WI=,iv:jvnb0bJAfJ1Gnf9AePj/CQQci6jel5aeOU0zM8W0fh0=,tag:wrakrH1HzqhBESqM7xVxCQ==,type:str]
     pgp:
         - created_at: "2022-01-22T04:06:16Z"
           enc: |-
diff --git a/terraform/Earthfile b/terraform/Earthfile
new file mode 100644
index 0000000000000000000000000000000000000000..3e6b314c79735df31764dda23a74be5a0615c46c
--- /dev/null
+++ b/terraform/Earthfile
@@ -0,0 +1,18 @@
+VERSION 0.7
+
+cli:
+    FROM ../images/mirror+fedora
+    WORKDIR /root/
+    COPY ../images/opentf+build/opentf /usr/local/bin/opentf
+    COPY . ./
+
+k8s01-init:
+    FROM +cli
+    WORKDIR /root/k8s01
+    RUN opentf init -upgrade
+    SAVE ARTIFACT .terraform.lock.hcl .terraform.lock.hcl AS LOCAL k8s01/.terraform.lock.hcl
+
+k8s01-plan:
+    FROM +cli
+    WORKDIR /root/k8s01
+    RUN opentf plan