terraform-provider-sops icon indicating copy to clipboard operation
terraform-provider-sops copied to clipboard
verified publisher icon carlpett

Workaround for sops #555

Open ahawkins opened this issue 5 years ago • 1 comments

REF: https://github.com/mozilla/sops/issues/555

I need something like this because we apply terraform in our CD pipelines. Humans need to assume a role on their machine to use sops. CI/CD doesn't because those machines have access via AWS Instance Profiles.

I don't know a better solution to this problem. It would be nice to rely on structured data manipulation. Unfortunately the content must be munged before passing to the sops library. If the role config is present then sops will try to assume that role.

I'm not sure if this PR should be merged. I'm opening for feedback in search of a better solution.

ahawkins avatar Aug 21 '20 00:08 ahawkins

Hey @ahawkins, Thanks for the PR! I'm not sure I think this is the right way to go. It'd be much better if a proper solution (if needed - from related issues in the sops repo it seems the maintainers aren't sure this should even be needed?) was implemented in upstream sops rather than messing with the file, IMO. As a Terraform-specific workaround, perhaps consider using replace on the sops:ed file and then use the sops_external resource?

Something like this:

data "local_file" "yaml" {
  filename = "basic.yaml"
}

data "sops_external" "demo-secret" {
  source     = replace(data.local_file.yaml.content, "/your-regex/", "")
  input_type = "yaml"
}

carlpett avatar Aug 25 '20 06:08 carlpett

Hey, Since this approach won't be merged, I'll close the PR. Thanks for the suggestion, though!

carlpett avatar Nov 07 '22 17:11 carlpett