Page MenuHomePhabricator

[terraform] Introduce SOPS secrets
ClosedPublic

Authored by bartek on Jul 29 2023, 11:28 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Nov 25, 3:00 PM
Unknown Object (File)
Sat, Nov 23, 2:37 PM
Unknown Object (File)
Sat, Nov 23, 12:54 PM
Unknown Object (File)
Sat, Nov 23, 12:54 PM
Unknown Object (File)
Thu, Nov 21, 1:07 AM
Unknown Object (File)
Sat, Nov 9, 3:02 AM
Unknown Object (File)
Fri, Nov 8, 4:39 AM
Unknown Object (File)
Fri, Nov 8, 2:32 AM
Subscribers

Details

Summary

This diff:

  • Introduces .sops.yaml configuration file for SOPS files in the repo.
  • Introduces services/terraform/remote/secrets.json file that contains some secrets. Now it contains a few examples:
    • Prod/staging account IDs
    • Keyserver public key, used by Identity Service
  • Makes these secrets accessible by Terraform

Depends on D8666

Test Plan

Note that the test plan requires access to the "Terraform/Infra" AWS account. Contact me if you need access.

  • CLI decryption with plaintext! output to stdout:
cd services/terraform/remote
sops -d secrets.json
  • Secrets should be accessible from Terraform:
    1. Add example output:
output "my_secret" {
  # It must be wrapped in nonsensitive() or TF will output only redacted placeholder
  value = nonsensitive(local.secrets["accountIDs.staging"])
}
  1. Run Terraform:
cd services/terraform/remote
terraform apply

Should output:

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
my_secret = "123456789012"

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

bartek held this revision as a draft.
bartek published this revision for review.Jul 29 2023, 11:53 PM
bartek added inline comments.
services/terraform/remote/secrets.json
1–6 ↗(On Diff #29238)

The greatest advantage of SOPS over other encryption solutions (e.g. git-crypt) is that we can still see the structure of the JSON / YAML file - we can see the keys, but their values are encrypted with AES-256.
When the value is updated, we can see the change in git diff view.

Above this comment, the keys are added by me.
Below this comment, there's a block that is auto-generated by sops.
Basically, it encrypts the AES-256 key using remote KMS.

Can you clarify how the secret is stored / accessed? Eg. does the human running the script enter their AWS credentials somewhere (or perhaps the AWS credentials of the Terraform account, or the AWS credentials of an IAM user on the Terraform account) to access the secret? If so, where / how are those credentials entered?

Can you clarify how the secret is stored / accessed? Eg. does the human running the script enter their AWS credentials somewhere (or perhaps the AWS credentials of the Terraform account, or the AWS credentials of an IAM user on the Terraform account) to access the secret? If so, where / how are those credentials entered?

The secret itself is stored in this encrypted JSON file. It is encrypted with a KMS key stored on the "Terraform/Infra" AWS account, so actors wanting to decrypt it need to provide AWS credentials with proper permissions.
There are several ways of providing such credentials, each having pros and cons depending on use case - AWS has extensive docs here. In our case:

  • If the actor is a human, we'll use SSO session and AWS CLI (a.k.a short-term credentials) - I'm writing docs about this on Notion.
  • If the actor is CI or another non-human process, we can create a dedicated IAM role for it with minimal required permissions.

Thanks for explaining! This looks good to me, but I'd like one of the other reviewers to review it as well, since I don't know how to read .tf files yet

This revision is now accepted and ready to land.Aug 1 2023, 10:08 AM
This revision was automatically updated to reflect the committed changes.