diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 000000000..00b2530fd --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,6 @@ +creation_rules: + # Terraform secrets file. + - path_regex: services/terraform/remote/secrets\.json$ + kms: 'arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303' + # We can potentially re-use this KMS key for other SOPS-encrypted files + # by either copying the 'kms' value or modifying the path regex diff --git a/services/terraform/remote/.terraform.lock.hcl b/services/terraform/remote/.terraform.lock.hcl index ebcfbb40f..bf8dc2360 100644 --- a/services/terraform/remote/.terraform.lock.hcl +++ b/services/terraform/remote/.terraform.lock.hcl @@ -1,25 +1,40 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. +provider "registry.terraform.io/carlpett/sops" { + version = "0.7.2" + constraints = "0.7.2" + hashes = [ + "h1:nWrLW+9JjGLwfss4T7pTaE+JiZlBJQGoYxt4pDe5OE8=", + "zh:43f218054ea3a72c9756bf989aeebb9d0f23b66fd08e9fb4ae75d4f921295e82", + "zh:57fd326388042a6b7ecd60f740f81e5ef931546c4f068f054e7df34acf65d190", + "zh:87b970db8c137f4c2fcbff7a5705419a0aea9268ae0ac94f1ec5b978e42ab0d2", + "zh:9e3b67b89ac919f01731eb0466baa08ce0721e6cf962fe6752e7cc526ac0cba0", + "zh:c028f67ef330be0d15ce4d7ac7649a2e07a98ed3003fca52e0c72338b5f481f8", + "zh:c29362e36a44480d0d9cb7d90d1efba63fe7e0e94706b2a07884bc067c46cbc7", + "zh:d5bcfa836244718a1d564aa96eb7d733b4d361b6ecb961f7c5bcd0cadb1dfd05", + ] +} + provider "registry.terraform.io/hashicorp/aws" { version = "5.7.0" constraints = "~> 5.7.0" hashes = [ "h1:gCmR7VjmH1RSMC6eaZRr37iGRDGBgzCPWomHHpeMEgA=", "zh:03240d7fc041d5331db7fd5f2ca4fe031321d07d2a6ca27085c5020dae13f211", "zh:0b5252b14c354636fe0348823195dd901b457de1a033015f4a7d11cfe998c766", "zh:2bfb62325b0487be8d1850a964f09cca0d45148faec577459c2a24334ec9977b", "zh:2f9e317ffc57d2b5117cfe8dc266f88aa139b760bc93d8adeed7ad533a78b5a3", "zh:36512725c9d7c559927b98fead04be58494a3a997e5270b905a75a468e307427", "zh:5483e696d3ea764f746d3fe439f7dcc49001c3c774122d7baa51ce01011f0075", "zh:5967635cc14f969ea26622863a2e3f9d6a7ddd3e7d35a29a7275c5e10579ac8c", "zh:7e63c94a64af5b7aeb36ea6e3719962f65a7c28074532c02549a67212d410bb8", "zh:8a7d5f33b11a3f5c7281413b431fa85de149ed8493ec1eea73d50d2d80a475e6", "zh:8e2ed2d986aaf590975a79a2f6b5e60e0dc7d804ab01a8c03ab181e41cfe9b0f", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", "zh:9c7b8ca1b17489f16a6d0f1fc2aa9c130978ea74c9c861d8435410567a0a888f", "zh:a54385896a70524063f0c5420be26ff6f88909bd8e6902dd3e922577b21fd546", "zh:aecd3a8fb70b938b58d93459bfb311540fd6aaf981924bf34abd48f953b4be0d", "zh:f3de076fa3402768d27af0187c6a677777b47691d1f0f84c9b259ff66e65953e", ] } diff --git a/services/terraform/remote/main.tf b/services/terraform/remote/main.tf index 31ae3c1c4..5ceaed86e 100644 --- a/services/terraform/remote/main.tf +++ b/services/terraform/remote/main.tf @@ -1,20 +1,30 @@ +provider "sops" {} + +data "sops_file" "secrets_json" { + source_file = "secrets.json" +} + +locals { + secrets = jsondecode(data.sops_file.secrets_json.raw) +} + provider "aws" { region = "us-east-2" shared_config_files = ["${pathexpand("~/.aws/config")}"] shared_credentials_files = ["${pathexpand("~/.aws/credentials")}"] # automatically add these tags to all resources default_tags { tags = { # Helps to distinguish which resources are managed by Terraform managed_by = "terraform" } } } # Shared resources between local dev environment and remote AWS module "shared" { source = "../modules/shared" } diff --git a/services/terraform/remote/providers.tf b/services/terraform/remote/providers.tf index 0b988a0be..5ec120ea0 100644 --- a/services/terraform/remote/providers.tf +++ b/services/terraform/remote/providers.tf @@ -1,8 +1,13 @@ terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.7.0" } + + sops = { + source = "carlpett/sops" + version = "0.7.2" + } } } diff --git a/services/terraform/remote/secrets.json b/services/terraform/remote/secrets.json new file mode 100644 index 000000000..118475789 --- /dev/null +++ b/services/terraform/remote/secrets.json @@ -0,0 +1,26 @@ +{ + "accountIDs": { + "production": "ENC[AES256_GCM,data:bFvAqsaeaK63a89t,iv:DItiKGCI6RPfkjQPSrUWhddvJQKOTnYEeyzgHfckrXw=,tag:5NTw9AuEXhU9eOKzd2wvtw==,type:str]", + "staging": "ENC[AES256_GCM,data:qoJZWlb2BusLjLJV,iv:cRt9S8qKZ8qz3q41Xc1o+giTTHA0jWkTLQDFHUHFR2U=,tag:EbZKVX7NkxDmx1s1PIjIeg==,type:str]" + }, + "keyserverPublicKey": "ENC[AES256_GCM,data:6QnxnmA21WMjsqFJHgSxh4UkzoR1LMQuoK+F4uj5cxZPqsvverDjf9OfJg==,iv:gScxT+OOcnIrnc32S/Skk1/y15k2yhMVkCjuCUkQ3Y8=,tag:ZzP+7sgxZoJHD/XpMwwxWg==,type:str]", + "sops": { + "kms": [ + { + "arn": "arn:aws:kms:us-east-2:319076408221:key/2e54d528-50a2-489c-a4d7-d50c7c9f8303", + "created_at": "2023-07-29T15:16:43Z", + "enc": "AQICAHj+McP79InpW8dFM/rPPvaCljIlb0zq8qoMY/a2UlUSewFFXrO432X6dWZfZHFVsgoGAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM0LAEze794jBZIKO/AgEQgDuVcwyViTDZoLwGj5icgKlABQFeUofitRD9e19i3Q+0ZyT7sSQ/4t2GuxvVo4cVEIkHCgTNH2RXLoqzPA==", + "aws_profile": "" + } + ], + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2023-07-29T15:45:13Z", + "mac": "ENC[AES256_GCM,data:wVc1NNxVauqJrQqjWQDlsunmLYUTr1DOKFzmAQWUOHNc2eF7Fv5KPZ7rH3ktk75vXP3LYu3EPhd/Mr4J7cqps/yOXrZDuSLVcqqaAQDfvinfpGR8ZI9u262iTs7k/mYamnRZ7Cvlmlgb3t6juIWkc01WN+zxAJG8mynEIGiJLjQ=,iv:s6rXITHgv9X6XHAK3/Cm20r3Cc/UyLxo8H33r3elRso=,tag:V+1ax+MMGH+sUXZH48VSwA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +}