[terraform] Introduce SOPS secrets
Summary:
This diff:
- Introduces .sops.yaml configuration file for SOPS files in the repo.
- Introduces services/terraform/remote/secrets.json file that contains some secrets. Now it contains a few examples:
- Prod/staging account IDs
- Keyserver public key, used by Identity Service
- Makes these secrets accessible by Terraform
Depends on D8666
Test Plan:
Note that the test plan requires access to the "Terraform/Infra" AWS account. Contact me if you need access.
- CLI decryption with plaintext! output to stdout:
cd services/terraform/remote sops -d secrets.json
- Secrets should be accessible from Terraform:
- Add example output:
output "my_secret" { # It must be wrapped in nonsensitive() or TF will output only redacted placeholder value = nonsensitive(local.secrets["accountIDs.staging"]) }
- Run Terraform:
cd services/terraform/remote terraform apply
Should output:
Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: my_secret = "123456789012"
Reviewers: ashoat, jon, varun
Reviewed By: jon
Subscribers: tomek
Differential Revision: https://phab.comm.dev/D8667