terraform-provider-sops icon indicating copy to clipboard operation
terraform-provider-sops copied to clipboard

Published 20 hours ago verified publisher icon carlpett

Add support for .tfvars files

Open cippaciong opened this issue 3 years ago • 3 comments

Hello, I was wondering if there is any plan (assuming there is a way to implement it, which I'm not sure) to add support for encrypted .tfvars files in addition to yaml and json.

I have used encrypted .tfvars files with SOPS and terragrunt in the past, relying on terragrunt pre/post hooks to decrypt and encrypt .tfvars files before I fed them to terraform using -var-file flags.

I think it would be nice if we could have support to .tfvars files here, in order to have all the consistency checks provided by terraform on variables (type checking, check if the have been declared, etc.).

To be more specific, this is what I have in mind:

# secrets.enc.tfvars
password = superSecret

# main.tf
terraform {
  required_providers {
    sops = {
      source  = "carlpett/sops"
      version = "~> 0.5"
    }
  }
}

data "sops_file" "secret" {
  # The content is actually loaded as terraform variables
  source_file = "secrets.enc.tfvars"
  input_type  = "tfvars"
}

variable "password" {
  type    = string
}

output "password" {
  value = var.password
}

Do you think it's actually possible to implement this? If yes, would you be interested in this feature?

cippaciong avatar Nov 08 '21 11:11 cippaciong

Hi @cippaciong, I do not believe this is possible with the current Terraform plugin model. If you're interested in driving this, the first step would be to open a discussion on Terraform core to allow providers to hook into the tfvars loading process. If this were to be implemented there, then it'd be very natural to extend this provider with this support!

carlpett avatar Nov 13 '21 21:11 carlpett

@cippaciong and anyone in the future coming across this, you can simply store secrets.enc.tfvars.json in proper JSON format and terraform will read this file as usual to accomplish what you are looking for. Then just drop the input-type:

data "sops_file" "secret" {
  source_file = "secrets.enc.tfvars.json"
}

jeffrade avatar Dec 27 '22 23:12 jeffrade

data "sops_file" "secret" { source_file = "secrets.enc.tfvars.json" }

@cippaciong and anyone in the future coming across this, you can simply store secrets.enc.tfvars.json in proper JSON format and terraform will read this file as usual to accomplish what you are looking for. Then just drop the input-type:

@jeffrade I'm not sure this results in what is intended as terraform will load in the secrets.enc.tfvars.json with the values still encrypted and so I don't think any of the consistency checking will apply. Also, one will still have to reference the sops data object to lookup values, instead of using var values.

phil-edl avatar Feb 27 '24 19:02 phil-edl