From 57beb5595f78ad090956e697dc3f24dd5d1696b1 Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Sat, 20 Jan 2024 20:45:19 +0100 Subject: [PATCH] secrets: tf provider sops -> tfvars --- .auto.tfvars.enc.yaml | 22 ++++++++++++++++++++++ .gitignore | 3 --- .sops.yaml | 2 +- .terraformignore | 3 --- README.md | 22 ++++++++++++---------- config.nix | 29 +++++++++++++---------------- flake.nix | 12 +++++++----- secrets.enc.yaml | 22 ---------------------- 8 files changed, 55 insertions(+), 60 deletions(-) create mode 100644 .auto.tfvars.enc.yaml delete mode 100644 secrets.enc.yaml diff --git a/.auto.tfvars.enc.yaml b/.auto.tfvars.enc.yaml new file mode 100644 index 0000000..d50fd9f --- /dev/null +++ b/.auto.tfvars.enc.yaml @@ -0,0 +1,22 @@ +tf_cloud_token: ENC[AES256_GCM,data:XkG5QZ6Ul4tIZELgDE3gBwa+iwyUY175L+szDpfz2u/n345LjDwWAqcbwsSm/c6YRUlxdH1WDvNKUWwnlSyD56ksrfO5t0vqPbIQIeHAD/XlCM21lkiPp1hc,iv:2gTTM5jgDZ39LNjlGgv18RVSAEzBOT0soQ6ip5RFbk4=,tag:JPPyvWxXnV0s9Avp5y9iNA==,type:str] +hcloud_api_token: ENC[AES256_GCM,data:sJW3nPzVKAn2tLJGKcGi7iuA6WfB3B/06R0E5gsOMDLBYMznRnHyP0BtRyLRxfk4RpMAgWI8QWxn7VQsAXjNzw==,iv:RL5JTCy+oU7B9feRZFnKHCFmaEW7O7PB5xzFUpjDhM8=,tag:3S9rJPj5C0DhgCmn2Um/uA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1d53yeje0ggysc93uptlpufyhpchyyfs006368j8mw9r20uyeeydse3n7aw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4RTU4Z3hja24wM1JCU2sz + UFdRQ2loZ25RdmNQN3ZZZXZOTTFoUk1VVVg4ClBybkJoeW5kTDY1TndsYUFQREVr + TENza0M1TDRLTUtMcTJPS3c4K0R5UnMKLS0tIGRHYzBOQ1JHYnhQN1RDWXFMMVQ3 + RzNnVTJKSDd0aE41YjRvSmJFVHZDQzQKIvfq+ccMlZ1ypgxrBMOm+On0Nl3GVhKW + Y8b//WmiuhmYZueq7ZMp0gT40144cE1HneDyuVRZ1az5XnFv5OGXag== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-18T17:54:28Z" + mac: ENC[AES256_GCM,data:nEwl132d1V7+gzQGP/qTl0/VpX7psgdNzmfLLOhefJZGqoC5INCgt5DVGE4fiHv1yM8Q+3irDuQPvx4N0dt1y7lY+UdhqbAhANtI+OPdbuC5xpLplgTUiaLuiPGLbeDpNZxpgxqXK1oVCJF356rEmLevYmytKO8HUFMt+qZjjqE=,iv:40JxgMB/+CxNvOTSwLpZCijni24stfF+Qg8sps3xTCE=,tag:S/7fsmwfJvuW+hexuA4p2g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/.gitignore b/.gitignore index b4fb294..8418b6e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,5 @@ *.bck -# sops -/secrets.yaml - # age /keys.txt diff --git a/.sops.yaml b/.sops.yaml index a786ad1..0bfb318 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,7 +4,7 @@ keys: # actual sops config creation_rules: - - path_regex: secrets(\.enc)?\.yaml$ + - path_regex: \.auto\.tfvars(\.enc)?\.(yaml|json)$ key_groups: - age: - *automation diff --git a/.terraformignore b/.terraformignore index 27cd9f3..286617f 100644 --- a/.terraformignore +++ b/.terraformignore @@ -1,6 +1,3 @@ -# sops -/secrets.yaml - # age /keys.txt diff --git a/README.md b/README.md index 0085824..66869a8 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,8 @@ Contains [OpenTofu](https://opentofu.org/) code used to manage our infrastructur nix develop -c $SHELL ``` +- Handle [credentials](#secrets) + - Applying changes: ```sh @@ -69,25 +71,26 @@ Contains [OpenTofu](https://opentofu.org/) code used to manage our infrastructur ``` - list it in [`sops`](https://getsops.io/) config file `.sops.yaml` -- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml` +- key setup: set environment variable `SOPS_AGE_KEY_FILE` or `SOPS_AGE_KEY` so `sops` can locate the secret key to an `age` key pair that has its public key listed in `.sops.yaml`, e.g.: + + ```sh + export SOPS_AGE_KEY_FILE=./keys.txt + ``` + - encoding secrets: ```sh - sops -e secrets.yaml > secrets.enc.yaml + nix run .#encode ``` - decoding secrets: ```sh - sops -d secrets.enc.yaml > secrets.yaml + nix run .#decode ``` - setting Terraform Cloud credentials, either by: - - reusing the shared session: - - ```sh - source login.sh - ``` + - decode (as per above) to reuse the shared session - log in to the Terraform Cloud backend: @@ -97,11 +100,10 @@ Contains [OpenTofu](https://opentofu.org/) code used to manage our infrastructur ### Configuring -Create a file `.auto.tfvars` containing override for any OpenTofu variables, e.g.: +In `.auto.tfvars.json` override any OpenTofu variables, e.g.: ```tfvars hcloud_location = "nbg1" ``` ## [HCL to Nix](https://gist.github.com/KiaraGrouwstra/249ede6a7dfc00ea44d85bc6bdbcd875) - diff --git a/config.nix b/config.nix index adb1d81..da6b915 100644 --- a/config.nix +++ b/config.nix @@ -20,13 +20,10 @@ let # { a = 1; } -> { name = "a"; a = 1; } setNames = lib.mapAttrs (k: v: { name = k; } // v); - # "foo" -> "\${data.sops_file.secrets.data[\"foo\"]}" - secret = str: lib.tfRef "data.sops_file.secrets.data[\"${str}\"]"; - hetzner = let # https://docs.hetzner.com/cloud/api/getting-started/generating-api-token - token = secret "hcloud_api_token"; + token = lib.tfRef "var.hcloud_api_token"; in { inherit token; }; @@ -34,12 +31,6 @@ in rec { terraform = { - required_providers = { - - sops.source = "carlpett/sops"; - - }; - cloud = { hostname = "app.terraform.io"; organization = "bij1"; @@ -52,8 +43,6 @@ in rec { provider = { - sops = {}; - # Configure the Hetzner Cloud Provider hcloud.token = lib.mkForce hetzner.token; @@ -69,6 +58,18 @@ in rec { # or using -var="hcloud_api_token=..." CLI option variable = { + # suppress warning, otherwise unused here + tf_cloud_token = { + type = "string"; + sensitive = true; + }; + + hcloud_api_token = { + type = "string"; + description = "[Hetzner Cloud API Token](https://docs.hetzner.com/cloud/api/getting-started/generating-api-token)"; + sensitive = true; + }; + }; # https://github.com/terranix/terranix-hcloud/blob/main/options.md @@ -82,10 +83,6 @@ in rec { data = { - sops_file.secrets = { - source_file = "secrets.enc.yaml"; - }; - hcloud_ssh_keys."all_keys" = {}; }; diff --git a/flake.nix b/flake.nix index 9dd7a56..aeefeea 100644 --- a/flake.nix +++ b/flake.nix @@ -27,6 +27,7 @@ ]; }; tf = "${pkgs.opentofu}/bin/tofu"; + sops = "${pkgs.sops}/bin/sops"; in { defaultPackage = tfConfig; @@ -47,10 +48,8 @@ sops rage woodpecker-cli - jq inputs.terranix.defaultPackage.${system} (opentofu.withPlugins (p: with p; [ - sops # https://registry.terraform.io/providers/carlpett/sops/latest/docs hcloud # https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs ])) ]; @@ -59,11 +58,10 @@ apps = let tfCommand = cmd: '' if [[ -e config.tf.json ]]; then rm -f config.tf.json; fi; - export TF_CLOUD_TOKEN=$(${pkgs.sops}/bin/sops -d --extract '["tf_cloud_token"]' secrets.enc.yaml) export TF_CLI_CONFIG_FILE="ci.tfrc" cat << EOF > "$TF_CLI_CONFIG_FILE" credentials "app.terraform.io" { - token = "$TF_CLOUD_TOKEN" + token = "$(${sops} -d --extract '["tf_cloud_token"]' .auto.tfvars.enc.yaml)" } EOF cp ${tfConfig} config.tf.json \ @@ -74,6 +72,10 @@ type = "app"; program = toString (pkgs.writers.writeBash name script); }) { + # nix run .#encode + encode = "${sops} --output-type yaml -e .auto.tfvars.json > .auto.tfvars.enc.yaml"; + # nix run .#decode + decode = "${sops} --output-type json -d .auto.tfvars.enc.yaml > .auto.tfvars.json"; # nix run .#check check = tfCommand "validate"; # nix run .#apply @@ -87,7 +89,7 @@ ${tfCommand "destroy"} rm ${toString ./.}/config.tf.json rm ${toString ./.}/*.tfstate* - rm ${toString ./.}/secrets.yaml + rm ${toString ./.}/.auto.tfvars.json rm ${toString ./.}/ci.tfrc ''; }; diff --git a/secrets.enc.yaml b/secrets.enc.yaml deleted file mode 100644 index e135161..0000000 --- a/secrets.enc.yaml +++ /dev/null @@ -1,22 +0,0 @@ -tf_cloud_token: ENC[AES256_GCM,data:3vx1n4s7eQxMR2ntOlmnASUuCMxhMMHKLuhf644mNLWbv99aPLsqoUQ+cP01hW/Ra98v3U0C0uYZWfkFn/X8CaVIeu1QPv12D1+XSJB0SJal8NZHJTNVTgzL,iv:W0H4lftTD96/ENjV8tA2a8QqAGI2z/jRvgMtQmaGeB0=,tag:MuXGtyDTbRlNW1xshtCH0g==,type:str] -hcloud_api_token: ENC[AES256_GCM,data:HojFdI9gGnO8IkfOREx4bTqrCNBsCDxnUUOmb+VuLMNIEWEifo9tBhm25I+xAogRd0TuYcY4fkARboGL9qsgrw==,iv:18QLpHdNnG82603FxLL38KJaB9sPJ9gj0vmqQWNb1e0=,tag:/6QPhVZy5P5dvP92HUQR6g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1d53yeje0ggysc93uptlpufyhpchyyfs006368j8mw9r20uyeeydse3n7aw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHa2EzMFlLdTQvMUtzL3FL - Rk5JZEdoVkpEQkk3eTR6QkFKY01CaGVwUnpFCm00OWg2bmJ3U2xRMExyeFZ6WVRB - UWVjVzY5Y01EOUpDNHYrMFYzVE9GUUEKLS0tIE1LYm80b3V3OUkrNWxQVTRaRGhk - TkxRZlprc0I3Q3dQRS82bEd4b1VxTUkKvHZc4c7+9Tsny8w5Cm5L6H+enU1R0tY4 - 9OcNPXGv8II5OJp1eT14U/sNecPbiBaQSeK4xHaRDKbGyqx92DtQ8A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-16T21:29:11Z" - mac: ENC[AES256_GCM,data:eIoSEDuND1O5XPisSs/kq7N1UsiZMer9+Ok43o+8HwfH/HAoElM/0fXNhKQWcQQVUdwLIQnJZzHEXIJ77Uh5sDsWynj3ihJBhruDPu3FxOXTvRHBcdxU31b3iQGliaChRD19L2GDhsNO2Pfvhpoovsy2PHoFtpqtYt4+7UmcOCw=,iv:Zz1czzz+3Tb5f81o6adhO7eJSSr+ksXhMQwendPAhM0=,tag:bjF2pXTkGxef9+1kKw0FlQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.8.1