HomePhabricator
Diffusion Comm 2b48a43b4ac2

[terraform] Introduce SOPS secrets

Description

[terraform] Introduce SOPS secrets

Summary:
This diff:

  • Introduces .sops.yaml configuration file for SOPS files in the repo.
  • Introduces services/terraform/remote/secrets.json file that contains some secrets. Now it contains a few examples:
    • Prod/staging account IDs
    • Keyserver public key, used by Identity Service
  • Makes these secrets accessible by Terraform

Depends on D8666

Test Plan:

Note that the test plan requires access to the "Terraform/Infra" AWS account. Contact me if you need access.

  • CLI decryption with plaintext! output to stdout:
cd services/terraform/remote
sops -d secrets.json
  • Secrets should be accessible from Terraform:
    1. Add example output:
output "my_secret" {
  # It must be wrapped in nonsensitive() or TF will output only redacted placeholder
  value = nonsensitive(local.secrets["accountIDs.staging"])
}
  1. Run Terraform:
cd services/terraform/remote
terraform apply

Should output:

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
my_secret = "123456789012"

Reviewers: ashoat, jon, varun

Reviewed By: jon

Subscribers: tomek

Differential Revision: https://phab.comm.dev/D8667

Details

Provenance
bartekAuthored on Jul 29 2023, 11:00 PM
Reviewer
jon
Differential Revision
D8667: [terraform] Introduce SOPS secrets
Parents
rCOMM57b4dc864720: [nix] Add sops
Branches
Unknown
Tags
Unknown