diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,6 @@ +creation_rules: + # Terraform secrets file. + - path_regex: services/terraform/remote/secrets\.json$ + kms: 'arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303' + # We can potentially re-use this KMS key for other SOPS-encrypted files + # by either copying the 'kms' value or modifying the path regex diff --git a/services/terraform/remote/.terraform.lock.hcl b/services/terraform/remote/.terraform.lock.hcl --- a/services/terraform/remote/.terraform.lock.hcl +++ b/services/terraform/remote/.terraform.lock.hcl @@ -1,6 +1,21 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/carlpett/sops" { + version = "0.7.2" + constraints = "0.7.2" + hashes = [ + "h1:nWrLW+9JjGLwfss4T7pTaE+JiZlBJQGoYxt4pDe5OE8=", + "zh:43f218054ea3a72c9756bf989aeebb9d0f23b66fd08e9fb4ae75d4f921295e82", + "zh:57fd326388042a6b7ecd60f740f81e5ef931546c4f068f054e7df34acf65d190", + "zh:87b970db8c137f4c2fcbff7a5705419a0aea9268ae0ac94f1ec5b978e42ab0d2", + "zh:9e3b67b89ac919f01731eb0466baa08ce0721e6cf962fe6752e7cc526ac0cba0", + "zh:c028f67ef330be0d15ce4d7ac7649a2e07a98ed3003fca52e0c72338b5f481f8", + "zh:c29362e36a44480d0d9cb7d90d1efba63fe7e0e94706b2a07884bc067c46cbc7", + "zh:d5bcfa836244718a1d564aa96eb7d733b4d361b6ecb961f7c5bcd0cadb1dfd05", + ] +} + provider "registry.terraform.io/hashicorp/aws" { version = "5.7.0" constraints = "~> 5.7.0" diff --git a/services/terraform/remote/main.tf b/services/terraform/remote/main.tf --- a/services/terraform/remote/main.tf +++ b/services/terraform/remote/main.tf @@ -1,3 +1,13 @@ +provider "sops" {} + +data "sops_file" "secrets_json" { + source_file = "secrets.json" +} + +locals { + secrets = jsondecode(data.sops_file.secrets_json.raw) +} + provider "aws" { region = "us-east-2" diff --git a/services/terraform/remote/providers.tf b/services/terraform/remote/providers.tf --- a/services/terraform/remote/providers.tf +++ b/services/terraform/remote/providers.tf @@ -4,5 +4,10 @@ source = "hashicorp/aws" version = "~> 5.7.0" } + + sops = { + source = "carlpett/sops" + version = "0.7.2" + } } } diff --git a/services/terraform/remote/secrets.json b/services/terraform/remote/secrets.json new file mode 100644 --- /dev/null +++ b/services/terraform/remote/secrets.json @@ -0,0 +1,26 @@ +{ + "accountIDs": { + "production": "ENC[AES256_GCM,data:bFvAqsaeaK63a89t,iv:DItiKGCI6RPfkjQPSrUWhddvJQKOTnYEeyzgHfckrXw=,tag:5NTw9AuEXhU9eOKzd2wvtw==,type:str]", + "staging": "ENC[AES256_GCM,data:qoJZWlb2BusLjLJV,iv:cRt9S8qKZ8qz3q41Xc1o+giTTHA0jWkTLQDFHUHFR2U=,tag:EbZKVX7NkxDmx1s1PIjIeg==,type:str]" + }, + "keyserverPublicKey": "ENC[AES256_GCM,data:6QnxnmA21WMjsqFJHgSxh4UkzoR1LMQuoK+F4uj5cxZPqsvverDjf9OfJg==,iv:gScxT+OOcnIrnc32S/Skk1/y15k2yhMVkCjuCUkQ3Y8=,tag:ZzP+7sgxZoJHD/XpMwwxWg==,type:str]", + "sops": { + "kms": [ + { + "arn": "arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303", + "created_at": "2023-07-29T15:16:43Z", + "enc": "AQICAHj+McP79InpW8dFM/rPPvaCljIlb0zq8qoMY/a2UlUSewFFXrO432X6dWZfZHFVsgoGAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM0LAEze794jBZIKO/AgEQgDuVcwyViTDZoLwGj5icgKlABQFeUofitRD9e19i3Q+0ZyT7sSQ/4t2GuxvVo4cVEIkHCgTNH2RXLoqzPA==", + "aws_profile": "" + } + ], + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2023-07-29T15:45:13Z", + "mac": "ENC[AES256_GCM,data:wVc1NNxVauqJrQqjWQDlsunmLYUTr1DOKFzmAQWUOHNc2eF7Fv5KPZ7rH3ktk75vXP3LYu3EPhd/Mr4J7cqps/yOXrZDuSLVcqqaAQDfvinfpGR8ZI9u262iTs7k/mYamnRZ7Cvlmlgb3t6juIWkc01WN+zxAJG8mynEIGiJLjQ=,iv:s6rXITHgv9X6XHAK3/Cm20r3Cc/UyLxo8H33r3elRso=,tag:V+1ax+MMGH+sUXZH48VSwA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +}