[terraform] Introduce SOPS secrets
ClosedPublic
Actions

Authored by bartek on Jul 29 2023, 11:28 PM.

Details

Reviewers

• jon
varun
ashoat

Commits

rCOMM2b48a43b4ac2: [terraform] Introduce SOPS secrets

Summary

This diff:

Introduces .sops.yaml configuration file for SOPS files in the repo.
Introduces services/terraform/remote/secrets.json file that contains some secrets. Now it contains a few examples:
- Prod/staging account IDs
- Keyserver public key, used by Identity Service
Makes these secrets accessible by Terraform

Depends on D8666

Test Plan

Note that the test plan requires access to the "Terraform/Infra" AWS account. Contact me if you need access.

CLI decryption with plaintext! output to stdout:

cd services/terraform/remote
sops -d secrets.json

Secrets should be accessible from Terraform:
1. Add example output:

output "my_secret" {
  # It must be wrapped in nonsensitive() or TF will output only redacted placeholder
  value = nonsensitive(local.secrets["accountIDs.staging"])
}

Run Terraform:

cd services/terraform/remote
terraform apply

Should output:

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
my_secret = "123456789012"

Diff Detail

Repository

rCOMM Comm

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

bartek created this revision.Jul 29 2023, 11:28 PM

bartek held this revision as a draft.

Herald added a subscriber: tomek. · View Herald TranscriptJul 29 2023, 11:28 PM

bartek added a child revision: D8668: [services][terraform] Add Identity service.Jul 29 2023, 11:32 PM

bartek edited the test plan for this revision. (Show Details)Jul 29 2023, 11:42 PM

Harbormaster completed remote builds in B21347: Diff 29238.Jul 29 2023, 11:46 PM

bartek published this revision for review.Jul 29 2023, 11:53 PM

bartek added inline comments.

services/terraform/remote/secrets.json
1–6 ↗	(On Diff #29238)	The greatest advantage of SOPS over other encryption solutions (e.g. git-crypt) is that we can still see the structure of the JSON / YAML file - we can see the keys, but their values are encrypted with AES-256. When the value is updated, we can see the change in git diff view. Above this comment, the keys are added by me. Below this comment, there's a block that is auto-generated by sops. Basically, it encrypts the AES-256 key using remote KMS.

bartek added a child revision: D8669: [services][terraform] Introduce S3 backend.Jul 31 2023, 1:38 AM

Can you clarify how the secret is stored / accessed? Eg. does the human running the script enter their AWS credentials somewhere (or perhaps the AWS credentials of the Terraform account, or the AWS credentials of an IAM user on the Terraform account) to access the secret? If so, where / how are those credentials entered?

In D8667#255988, @ashoat wrote:

Can you clarify how the secret is stored / accessed? Eg. does the human running the script enter their AWS credentials somewhere (or perhaps the AWS credentials of the Terraform account, or the AWS credentials of an IAM user on the Terraform account) to access the secret? If so, where / how are those credentials entered?

The secret itself is stored in this encrypted JSON file. It is encrypted with a KMS key stored on the "Terraform/Infra" AWS account, so actors wanting to decrypt it need to provide AWS credentials with proper permissions.
There are several ways of providing such credentials, each having pros and cons depending on use case - AWS has extensive docs here. In our case:

If the actor is a human, we'll use SSO session and AWS CLI (a.k.a short-term credentials) - I'm writing docs about this on Notion.
If the actor is CI or another non-human process, we can create a dedicated IAM role for it with minimal required permissions.

Thanks for explaining! This looks good to me, but I'd like one of the other reviewers to review it as well, since I don't know how to read .tf files yet

• jon accepted this revision.Aug 1 2023, 10:08 AM

This revision is now accepted and ready to land.Aug 1 2023, 10:08 AM

Closed by commit rCOMM2b48a43b4ac2: [terraform] Introduce SOPS secrets (authored by bartek). · Explain WhyAug 1 2023, 11:23 AM

This revision was automatically updated to reflect the committed changes.

bartek added a commit: rCOMM2b48a43b4ac2: [terraform] Introduce SOPS secrets.