iam-user-secrets.patch

diff --git a/env/production/aws-iam-user-NextstrainPathogenNcov.tf b/env/production/aws-iam-user-NextstrainPathogenNcov.tf
new file mode 100644
index 0000000..966023a
--- /dev/null
+++ b/env/production/aws-iam-user-NextstrainPathogenNcov.tf
@@ -0,0 +1,18 @@
+resource "aws_iam_user" "NextstrainPathogenNcov" {
+  name = "NextstrainPathogen@ncov"
+}
+
+resource "aws_iam_user_policy_attachment" "NextstrainPathogenNcov" {
+  # See also aws-iam-role-GitHubActionsRoleNextstrainRepo@.tf
+  for_each = toset([
+    aws_iam_policy.NextstrainPathogen["ncov"],
+    aws_iam_policy.NextstrainPathogenNcovPrivate,
+    aws_iam_policy.NextstrainPathogenNcovNonStandardPaths,
+  ])
+  user = aws_iam_user.NextstrainPathogenNcov.name
+  policy_arn = each.key.arn
+}
+
+resource "aws_iam_access_key" "NextstrainPathogenNcov" {
+  user = aws_iam_user.NextstrainPathogenNcov.name
+}
diff --git a/env/production/github-actions-secrets.tf b/env/production/github-actions-secrets.tf
new file mode 100644
index 0000000..7b235e9
--- /dev/null
+++ b/env/production/github-actions-secrets.tf
@@ -0,0 +1,9 @@
+resource "github_actions_secret" "ncov-ingest" {
+  for_each = tomap({
+    AWS_ACCESS_KEY_ID     = aws_iam_access_key.NextstrainPathogenNcov.id,
+    AWS_SECRET_ACCESS_KEY = aws_iam_access_key.NextstrainPathogenNcov.secret,
+  })
+  repository = "ncov-ingest"
+  secret_name = each.key
+  plaintext_value = each.value
+}