terraform-provider-sops icon indicating copy to clipboard operation
terraform-provider-sops copied to clipboard

Published 20 hours ago verified publisher icon carlpett

can encrypt with a configured or specific key?

Open mrgleeco opened this issue 4 years ago • 10 comments

hello - this is a general question about this provider. Unclear how / if this can be done:

i'd like to use terraform to provision a new key and a new ring. Then i'd like to sops-encrypt a local file with that key. Ideally then i can use the sops provider output for other recipes.

i guess i'm asking if i can specify key and then like it would be something like

depends_on: [google_kms_crypto_key.myrobot.id]

Or maybe: could be done? Is there a clear path for a contribution? :-)

mrgleeco avatar Jul 30 '21 01:07 mrgleeco

Hi @mrgleeco, Missed this one, apologies! I think the main missing component is that the provider currently does not have a way to output sops-encrypted data. This in turn is because the sops Go packages do not expose the encryption functionality for others to use. I think this is intentional (probably to avoid being asked to support cases where someone made a mistake in usage and lost data?), but I don't think there's any official word on it. There's an issue in their repo, though: sops#903

carlpett avatar Oct 17 '21 18:10 carlpett

Can you not use the packages used in this file? https://github.com/mozilla/sops/blob/master/cmd/sops/encrypt.go

isaacsanders avatar Feb 21 '23 17:02 isaacsanders

Sadly, they are not exposed (Go functions/types are not exposed to outside code unless they have a leading capital letter in their name).

carlpett avatar Feb 22 '23 21:02 carlpett

Isn’t sops.Tree exposed? And then there is Tree.Encrypt.

isaacsanders avatar Feb 22 '23 22:02 isaacsanders

https://github.com/mozilla/sops/blob/66043e71a81787d6513bc2e5505a29aac67dc6f1/sops.go

The top level module has Tree and Encrypt in it.

isaacsanders avatar Feb 22 '23 22:02 isaacsanders

I know they don't guarantee it's API, but it hasn't changed in 2 years. I think we could get a lot of value out of it if it doesn't change all that often.

isaacsanders avatar Feb 22 '23 22:02 isaacsanders

Unfortunately, those are not all that easy to use for us either. Even though they are exposed, there's a non-trivial amount of supporting code which isn't, both in pre-processing and post-processing stages. Technically we could of course copy that code over patch something together, but it'd grow the amount of code we need to understand and maintain drastically.

carlpett avatar Feb 23 '23 06:02 carlpett

@carlpett Hey, seems like this might be on its way now? https://github.com/getsops/sops/pull/1174

oscar-b avatar Jul 05 '23 14:07 oscar-b

Let's see where it goes! I'm not convinced that patch will be accepted, given that it doesn't really encapsulate it as a library, but exposes all of the guts including Stores, KeyGroups, etc. But if it does, we'll take a look at it.

carlpett avatar Jul 06 '23 11:07 carlpett

I was searching for how to use the custom key. I found you can use SOPS configuration variables as SOPS_AGE_KEY_FILE or SOPS_AGE_KEY; maybe it can work on your use case too.

frbayart avatar Oct 16 '23 07:10 frbayart