atmos icon indicating copy to clipboard operation
atmos copied to clipboard

Published 20 hours ago • verified publisher icon cloudposse

SOPS support

Open kevcube opened this issue 1 year ago • 4 comments

Describe the Feature

It would be great if Atmos had some interface for retrieving secrets from SOPS to be passed into terraform configuration.

Because we do our terraform configuration in Atmos' YAML, our TF configuration remains the same across environments/deployments. This is usually a good thing, but when something like a secret would change across environments, now we either need our terraform configuration to have some dynamic portion where it will grab the correct secret, or we would need to put the secret in raw YAML which isn't gonna happen.

I'm not sure about the extensibility of YAML

Expected Behavior

Some function in Atmos YAML to decode a SOPS secret from a given path.

Or some function in Atmos to read our SOPS files based on which stack/environment we are currently in and make those secrets available to reference in the YAML somehow.

Use Case

Secrets management can be better integrated with Atmos.

Describe Ideal Solution

See expected behavior

Alternatives Considered

No response

Additional Context

Terraform has a SOPS provider that we can use to do this work in our modules, and Terragrunt has native SOPS functions that can be used to do this in orchestration. Their implementation can be a reference.

kevcube avatar Apr 30 '24 21:04 kevcube

We've recently extended atmos to support all types of datasources, although most are from gomplate. Unfortunately gomplate doesn't provide native SOPS.

It's a really interesting idea if stack configs could reference a datasource for SOPS encrypted secrets, guarded by cloud-specific keys like KMS.

See how we configure data sources today: https://atmos.tools/cli/configuration#templates

All we would need to do is add a datasource for a sops-encrypted file, then we could support key/value lookups using all the normal mechanisms.

https://github.com/getsops/sops

osterman avatar Apr 30 '24 23:04 osterman

Love this idea -- Good issue @kevcube as this would definitely help us since we love SOPS so much.

@osterman is it possible to create datasources that are just for atmos? Or do they need to come from the upstream gomplate project?

Gowiem avatar May 08 '24 20:05 Gowiem

We can include them simply in the Atmos core, without requiring them in the upstream dependencies. Also, if any of your team would be interested in getting more involved hands-on, let me know and we can coordinate.

osterman avatar May 08 '24 21:05 osterman

This will be a very interesting feature to add to atmos

Currently, I am using terragrunt which has a natif support if sops datasource and this block me to move into atmos

zadm avatar May 26 '24 20:05 zadm